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Abstract 


Predicate  logic  is  a  powerful  and  general  descriptive  formalism  with  a  long 
history  of  development.  However,  since  the  logic's  underlying  semantics  have  no 
notion  of  time,  statements  such  as  “I  increases  by  2”  and  “The  bit  signal  X 
rises  from  0  to  1”  can  not  be  directly  expressed.  We  present  a  formalism  called 
interval  temporal  logic  (ITL)  that  augments  standard  predicate  logic  with  time- 
dependent  operators.  ITL  is  like  discrete  linear-time  temporal  logic  but  includes 
time  intervals.  The  behavior  of  programs  and  hardware  devices  can  often  be 
decomposed  into  successively  smaller  intervals  of  activity.  State  transitions  can 
be  characterised  by  properties  relating  the  initial  and  final  values  of  variables  over 
intervals.  Furthermore,  these  time  periods  provide  a  convenient  framework  for 
introducing  quantitative  timing  details. 

After  giving  some  motivation  for  reasoning  about  hardware,  we  present  the 
propositional  and  first-order  syntax  and  semantics  of  ITL.  We  demonstrate  ITL’s 
utility  for  uniformly  describing  the  structure  and  dynamics  of  a  wide  variety  of 
timing-dependent  digital  circuits.  Devices  discussed  include  delay  elements,  adders, 
latches,  flip-flops,  counters,  random-access  memories,  a  clocked  multiplication  cir¬ 
cuit  and  the  Am2Ml  bit  slice.  ITL  also  provides  a  means  for  expressing  properties 
of  such  specifications.  Throughout  the  dissertation,  we  examine  such  concepts  as 
device  equivalence  and  internal  states.  Propositional  ITL  is  shown  to  be  undecidable 
although  useful  subsets  are  of  relatively  reasonable  computational  complexity. 
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Chapter  l 


INTRODUCTION 


§1.1  Motivation 

Computer  systems  continue  to  grow  in  complexity  and  the  distinctions  between 
hardware  and  software  keep  on  blurring.  Out  of  this  has  come  an  increasing 
awareness  of  the  need  for  behavioral  models  suited  for  specifying  and  reasoning 
about  both  digital  devices  and  programs.  Contemporary  hardware  description 
languages  (for  example  [5,35,46])  are  not  sufficient  because  of  various  conceptual 
limitations: 

•  Most  such  tools  are  intended  much  more  for  simulation  than  for  math¬ 
ematically  sound  reasoning  about  digital  systems. 

•  Difficulties  arise  in  developing  circuit  specifications  that  out  of  necessity 
must  refer  to  different  levels  of  behavioral  abstraction. 

•  Existing  formal  tools  for  such  languages  are  in  general  too  restrictive  to 
deal  with  the  inherent  parallelism  of  circuits. 

Consider  now  some  of  the  advantages  of  using  predicate  logic  [12]  as  a  tool  for 
specification  and  reasoning: 

•  Every  formula  and  expression  in  predicate  logic  has  a  simple  semantic 
interpretation. 

•  Concepts  such  as  recursion  can  be  characterised  and  explored. 
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•  Subsets  of  predicate  logic  can  be  used  for  programming  (e.g.,  Prolog 
[24]). 

•  Theorems  about  formulas  and  expressions  can  themselves  be  stated  and 
proved  within  the  framework  of  predicate  logic. 

•  Reasoning  in  predicate  logic  can  often  be  reduced  to  propositional  logic. 
Propositional  logic  also  provides  a  means  for  reasoning  about  bits  in 
digital  circuits. 

•  Decades  of  research  lie  behind  the  overall  predicate  logic  formalism. 

One  problem  with  predicate  logic  is  that  it  has  no  built-in  notion  of  time  and 
therefore  cannot  directly  express  such  dynamic  tasks  as 

"I  increases  by  2” 


or 


“  The  values  of  A  and  B  are  exchanged " 


"The  bit  signal  X  rises  from  0  to  1." 

Here  are  some  ways  to  handle  this  limitation: 

•  We  can  simply  try  to  ignore  time.  For  example,  the  statement  "I  increases 
by  2"  can  be  represented  by  the  formula 

J  =  I+  2. 

Similarly,  the  statement  u  The  values  of  A  and  B  are  exchanged ”  can  be 
expressed  as 

{A  =  B)  a  [B  —  A). 

Unfortunately,  this  technique  doesn’t  work  since  neither  of  these  formulas 
has  the  intended  meaning. 

•  Each  variable  can  be  represented  as  a  function  of  time.  Thus,  we  might 
express  the  statement  “I  increases  by  2"  as  the  formula 

/(«,)-  /(to)  +  2, 
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where  to  designates  the  initial  time  aad  t/  ia  the  final  time.  In  an  analogous 
manner,  we  can  express  the  statement  “The  values  of  A  and  B  are  exchanged * 

as 

wt,i  -  B(to)]  a  m,)  -  ^i0)i. 

Because  of  the  extra  time  variables  such  as  to,  this  approach  rapidly  be¬ 
comes  tedious  and  lacks  both  clarity  and  modularity.  For  example,  it  is  not 
straightforward  to  alter  the  above  formulas  to  concisely  express  the  state¬ 
ments  “I  increases  by  2  and  then  by  3"  and  “  The  values  of  A  and  B  are 
exchanged  n  times  in  succession .” 

•  Variables  can  be  represented  as  lists  or  histories  of  values.  Thus,  the  state¬ 
ment  “I  increases  by  2"  corresponds  to  the  formula 

last{I)  =  first{T)  +  2 

where  first(I)  equals  /'s  first  element  and  last [I)  equals  /’s  last  element. 
This  technique  is  very  much  like  the  previous  one  and  suffers  from  similar 
problems. 

The  logic  presented  in  this  paper  overcomes  these  problems  and  unifies  in  a 
single  notation  digital  circuit  behavior  that  is  generally  described  by  means  of  the 
following  techniques: 

•  Register  transfer  operations 

•  Flowgraphs  and  transition  tables 

•  Tables  of  functions 

•  Timing  diagrams 

•  Schematics  and  block  diagrams 

Using  the  formalism,  we  can  describe  and  reason  about  qualitative  and  quantita¬ 
tive  properties  of  signal  stability,  delay  and  other  fundamental  aspects  of  circuit 
operation. 

We  present  an  extension  of  linear- time  temporal  logic  [31,39]  called  interval 
temporal  logic  (TTL).  The  behavior  of  programs  and  hardware  devices  can  often  be 
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decomposed  into  successively  smaller  periods  or  intervals  of  activity.  These  intervals 
provide  a  convenient  framework  for  introducing  quantitative  timing  details.  State 
transitions  can  be  characterised  by  properties  relating  the  initial  and  final  values 
of  variables  over  intervals  of  time.  The  principle  feature  of  ITL  is  that  every 
formula  refers  to  some  implicit  interval  of  time.  The  dissertation  will  later  examine 
the  logic’s  formal  syntax  and  semantics  in  great  depth.  Below  are  a  few  English- 
language  statements  and  corresponding  formulas  in  ITL.  These  examples  are  meant 
to  give  an  feel  for  what  ITL  looks  like. 

•  I  increases  by  2: 

J  +  2  — ►  J 

•  The  values  of  A  and  B  are  exchanged: 

(A—rB)  a  [B  -  A) 

•  /  increases  by  2  and  then  by  3: 

(J  +  2  —  J);(I  +  3-  I) 

•  The  values  of  A  and  B  are  exchanged  n  times  in  succession: 

([A  -  fl]  A  [B-.4|)» 

•  The  bit  signal  X  rises  from  0  to  1: 

(X  ss  0);  skip ;  ( X  1) 

As  in  conventional  logic,  we  can  express  properties  without  the  need  for  a 
separate  "assertion  language.”  For  example,  the  formula 

[(/ + 1  ry,  (/+ 1  -./))  =  (i + 2  -.  i) 

states  that  if  the  variable  I  twice  increases  by  1  in  an  interval,  then  the  overall 
result  is  that  I  increases  by  2. 
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ITL’i  applicability  ia  not  limited  to  the  goala  of  computer- assisted  verifica- 
tion  and  synthesis  of  circuit!.  Thia  type  of  notation,  with  appropriate  “syntactic 
sugar,”  can  provide  a  fundamental  and  rigoroua  baaia  for  communicating,  reasoning 
or  teaching  about  the  behavior  of  digital  device!,  computer  programa  and  other 
discrete  systems.  We  apply  it  to  describing  and  comparing  devices  ranging  from 
delay  elements  up  to  a  clocked  multiplication  circuit  and  the  Am2901  ALU  bit  slice 
developed  by  Advanced  Micro  Devices,  Inc.  Interval  temporal  logic  also  provides 
a  basic  framework  for  exploring  the  computational  complexity  of  reasoning  about 
time.  Simulation- based  languages  can  perhaps  use  such  a  formalism  as  a  vehicle 
for  describing  the  intended  semantics  of  delays  and  other  features.  In  fact,  we  feel 
that  ITL  provides  a  sufficient  basis  for  directly  describing  a  wide  range  of  devices 
and  programs.  For  our  purposes,  the  distinctions  made  in  dynamic  logic  [19,37] 
and  process  logics  [11,20,38]  between  programs  and  propositions  seem  unnecessary. 
Manna  and  Mosskowski  [29,30]  show  how  ITL  can  itself  serve  as  the  basis  for  a 
programming  language. 

§1.2  Contributions  of  Thesis 

Here  is  a  summary  of  the  key  ideas  developed  in  this  thesis: 

•  The  propositional  and  first-order  syntax  and  semantics  of  interval  tem¬ 
poral  logic  are  presented. 

•  We  give  complexity  results  regarding  satisfiability  of  formulas  in  proposi¬ 
tional  ITL. 

•  We  demonstrate  the  utility  of  ITL  for  uniformly  describing  and  reason¬ 
ing  about  the  structure  and  dynamics  of  a  wide  variety  of  timing- 
dependent  digital  circuits.  Devices  discussed  include  delay  elements, 
adders,  latches,  flip-flops,  counters,  random-access  memories,  a  clocked 
multiplication  circuit  and  the  Am 2901  bit  slice. 

•  The  overall  approach  used  indicates  that  multi-valued  logics  and  partial 
values  are  such  as  J.  are  not  necessary  in  the  treatment  of  timing- 
dependent  hardware. 


CHAPTER  1— INTRODUCTION 


§1.3  Organization  of  Thesis 

Chapter  2  introduces  the  propositional  form  of  interval  temporal  logic.  The 
logic’s  basic  syntax  and  semantics  are  given.  In  addition,  ITL  serves  to  express  a 
number  of  general  temporal  concepts  and  properties.  The  chapter  concludes  with 
some  results  on  the  theoretical  complexity  of  propositional  ITL. 

In  chapter  3,  we  present  first-order  ITL.  A  variety  of  useful  predicates  are 
introduced  to  capture  dynamic  notions  such  as  assignment  and  signal  transitions. 

The  next  few  chapters  show  how  to  formalise  specifications  and  properties  of 
a  number  of  digital  devices.  Chapter  4  describes  and  compares  a  number  of  delay 
models  that  arise  in  digital  systems.  In  chapter  5  we  introduce  some  extra  notation 
for  dealing  with  subscripting,  conversion  and  tuples.  Chapter  6  looks  at  adders, 
chapter  7  discusses  latches  and  chapter  8  examines  fiipflops.  Chapter  9  contains 
descriptions  and  properties  of  multiplexers,  random-access  memories,  counters  and 
shift  registers. 

Chapter  10  discusses  a  clocked  multiplication  circuit  and  shows  one  way  to 
derive  a  suitable  multiplication  algorithm  in  ITL.  In  chapter  11,  we  use  ITL  to 
describe  and  reason  about  the  functional  behavior  of  the  Am2901  bit  slice,  a  large- 
scale  integrated  circuit.  The  dissertation  concludes  with  chapter  12  containing  a 
discussion  of  some  related  work  and  future  research  directions. 


Chapter  2 


PROPOSITIONAL  INTERVAL  TEMPORAL  LOGIC 


We  first  present  propositional  ITL;  this  later  provides  a  basis  for  first-order 

ITL. 

§2.1  The  Basic  Formalism 

Syntax 

Propositional  ITL  basically  consists  of  propositional  logic  with  the  addition  of 
modal  constructs  to  reason  about  intervals  of  time. 

Formulas  are  built  inductively  out  of  the  following: 

•  A  nonempty  set  of  propositional  variables: 

P,Q, . . . 

•  Logical  connectives: 

~n»  and  u>i  a  w?,  where  w,  u>i  and  w?  are  formulas. 

•  Next: 

O  w  (read  * next  to”),  where  w  is  a  formula. 

•  Semicolon: 

Wt;w2  (read  “toi  semicolon  103”  or  "tcj  followed  by  103”), 
where  t»i  and  1 03  are  formulas. 
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Examples: 

Hera  are  some  sample  formulas: 

P 

P  a  Q 
O (P  a  -R) 

Q;(P  a  R) 

-Q  a  0[PrO(Q;R)] 

Notice  that  all  constructs,  including  O  and  semicolon,  can  be  arbitrarily  nested. 

Models 

Our  logic  can  be  viewed  as  linear*  time  temporal  logic  with  the  addition  of  the 
“chop”  operator  of  process  logic  [11,20].  The  truth  of  variables  depends  not  on 
states  but  on  intervals.  A  model  is  a  pair  (E,  M)  consisting  of  a  set  of  states  E  = 
{«,  t, . . . }  together  with  an  interpretation  M  mapping  each  propositional  variable  P 
and  nonempty  interval  a  a- . .  e„  €  E+  to  a  some  truth  value  MSa...s„  f-Pj.  hi  what 
follows,  we  assume  E  is  fixed. 

The  length  of  an  interval  So. . .  sn  is  n.  An  interval  consisting  of  a  single  state 
has  length  0.  It  is  possible  to  permit  infinite  intervals  although  for  simplicity  we 
will  omit  them  here.  An  interval  can  also  be  thought  of  as  the  sequence  of  states  of 
a  computation.  In  the  language  of  Chandra  et  al.  [11],  our  logic  is  "non-local”  with 
intervals  corresponding  to  "paths.” 

Here  is  a  sample  model: 

•  States: 

•  Assignments: 


E  =  {s,t,u> 

Variables  Where  M  is  true 

P  a,t,tva,tt,ts,  sv 

Q  t,ta,tat,t8ta 

R  — 
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Interpretation  of  formulae 

We  now  extend  the  meaning  function  M  to  arbitrary  formulas: 

•  =  true  *ff  M,0...a„lw^=  false 

The  formula  -'W  is  true  in  an  interval  so. . .  an  iff  to  is  false. 

•  Ato2|]  =  true  iff  Jtoi|  =  true  and  =  true 

The  conjunction  wi  a  102  is  true  in  so- . .  sn  iff  t ot  and  W2  are  both  true. 

•  —  true  *ff  n  -  1  =  true 

The  formula  O  to  is  true  in  an  interval  so. . .  sn  iff  to  is  true  in  the  subinterval 
s*. . .  sn.  If  the  original  interval  has  length  0,  then  O  w  is  false. 

•  ■M*0...*»|hi,i;io2j  =  true  iff  =  true  and  Ma..„#w([t02ll  =  true, 

for  some  *,  0  ^  t  <,  n. 

Given  an  interval  so. . .  sn>  the  formula  u>i;u>2  is  true  if  there  is  at  least  one  way 
to  divide  the  interval  into  two  adjacent  subintervals  s0. . .  s{  and  a,-. . .  sn  such  that 
the  formula  u»i  is  true  in  the  first  one,  so. . .  Sj,  and  the  formula  u>2  is  true  in  the 
second,  s,-. . .  sn. 

Examples: 

We  now  given  the  interpretations  of  some  formulas  with  respect  to  the  par¬ 
ticular  model  discussed  earlier: 

•  a  Qjj  =  true  since  =  true  and  M*a([Qj  =  true. 

•  Muu|I<?;-Pl  =  true  since  =  true  and  =  true. 

•  Mt|I“,(P  a  =  false  since  X«|P  a  QJ  =  true. 

•  Xt*|[0(P  a  =  true  since  M»[P  a  _'f?|  =  true. 

A  formula  vi  is  satisfied  by  a  pair  (X,  so. . .  s„)  iff 

»  true 


V.? 


.  '  V  •"  ‘  " 


TOSisi  'V 
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This  i>  denoted  u  follows: 

(A(|  #o*  •  •  («)  ^ 

We  sometimes  make  X  implicit  and  write 


*o-  •  •  «n  b  w. 

If  all  pain  of  M  and  a0. . .  sn  satisfy  w  then  w  is  valid,  written  b  10. 

§2.2  Expressing  Temporal  Concepts  in  Propositional  ITL 

We  illustrate  propositional  ITL’s  descriptive  power  by  giving  a  variety  of  useful 
temporal  concepts.  Hie  connectives  "•  and  a  clearly  suffice  to  express  other  basic 
logical  operators  such  as  v  and  as: 

•  u>i  v  103  -  logical- or: 

«i  v  t»j  Sd«f  "’(“toi  a  -102) 


•  v>i  3  103  -  implication: 


ti>x  3  10}  Sj,[  v  ttfj 


•  tD|  as  103  -  equivalence: 

101  a  10a  (wi  3  tea)  a  (10a  3  *»i) 

•  if  101  then  10a  elee  103  -  conditional  formula: 

if  i0i  then  10a  else  103  s^r  (10 1  3  103)  a  (“101  3  103) 


•  true  -  truth: 


true  sdaf  P  v  “’P 


•  /alls  -  falsity: 


/olss  fltar  "’true 
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Some  properties  of  neat  and  semicolon 

Throughout  thia  thesis,  numerous  sample  formulas  are  given  in  order  to  convey 
the  utility  of  ITL  for  expressing  temporal  and  digital  concepts.  The  reader  need 
not  look  at  every  single  formula.  Here  are  some  representative  properties  of  the 
operators  next  and  semicolon.  All  follow  from  the  semantic  model  just  covered. 

*  (P,Q);R  m  P;(Q;R) 

Semicolon  is  associative.  Therefore  a  formula  such  as  P;  Q;  R  is  unambiguous, 
i.  [(P  v  Q);R)  m  [(P;R)  v  (Q-,R)\ 

The  left  of  semicolon  distributes  with  logical-or.  An  analogous  property  applies  to 
the  right  of  semicolon. 

►  [F;(<?  a  «))  =  [(F;  Q)  a  (P;B)1 

A  logical- and  can  be  removed  from  semicolon's  right.  The  left  of  semicolon  has  a 
similar  property. 

I-  (OP);Q  s  0(P;Q) 

The  operator  O  commutes  with  the  left  of  semicolon. 

We  now  introduce  a  variety  of  other  useful  temporal  concepts  that  are  express¬ 
ible  by  means  of  the  constructs  just  defined. 

Examining  subintervals 

For  a  formula  w  and  an  interval  «o-  •  •  sn,  the  construct  ♦  w  is  true  if  to  is  true 
in  at  least  one  subinterval  *,■. . .  8j  contained  within  «o-  •  •  s«  and  possibly  the  entire 
interval  sq.  . .  sn  itself.  Note  that  the  “a”  in  ❖  simply  stands  for  “any”  and  is  not 
a  variable. 


wj  =  true  iff  (wj  =  true,  for  some  0  S  i  £  j  <:  n 

Similarly,  the  formula  B 10  is  true  if  the  formula  in  itself  is  true  in  all  subintervals 
of  8 0. . .  in’ 

in]  =*  true  iff  =■  true,  for  all  0  £  t  £  j  £  n 
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These  constructs  can  be  expressed  as  follows: 

w  =def  (true;  w,  true) 

0  w  =d«f  ♦  ■’to 

Because  semicolon  is  associative,  the  definition  of  O  is  unambiguous.  Together, 
❖  and  El  fulfill  all  the  axioms  of  the  modal  system  S4  [23],  with  ❖  interpreted  as 
possibly  and  0  as  necessarily. 

Properties: 

h  BP  3  P 

If  the  proposition  P  is  true  in  all  subintervals  then  it  is  true  in  the  primary  interval. 

►  0(P  a  Q)  s  [HP  A  0Q] 

The  logical-and  of  two  propositions  P  and  Q  is  true  in  every  subinterval  if  and  only 
if  both  propositions  are  true  everywhere. 

h  ❖  P  s  ❖♦P 

A  proposition  P  is  somewhere  true  exactly  if  there  is  some  subinterval  in  which  P 
is  somewhere  true. 

►  [BP  a  *Q]  =>  $(P  a  Q) 

If  P  is  true  in  all  subintervals  and  Q  is  true  in  some  subinterval  then  both  are 
simultaneously  true  in  at  least'  one  subinterval. 

Initial  and  terminal  subintervals 

For  a  given  interval  so.  •  •  »«  the  operators  ❖  and  0  are  similar  to  ♦  and  0 
but  only  look  at  initial  subintervals  of  the  form  so*  •  •  *i  for  *  £  n.  We  can  express 
$  w  and  0  w  as  shown  below: 
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For  example,  the  formula  GJ(P  a  (?)  is  true  on  an  interval  if  P  and  Q  are  both  true 
in  all  initial  subintervala.  The  connectives  <P  and  £3  refer  to  terminal  subintervals 
of  the  form  Sf. . .  «„  and  are  expressed  as  follows: 

<Pw  =def  (true;w) 

□  W  —del  $  “Tt ) 

Both  pairs  of  operators  satisfy  the  axioms  of  S4.  The  operators  <5>  and  □  correspond 
directly  to  O  and  □  in  linear- time  temporal  logic  [31]. 

Properties: 

K  (0?s  EIIP)a(0P£  0QP) 

The  proposition  P  is  true  in  all  subintervals  exactly  if  P  is  true  in  all  initial 
subintervals  of  all  terminal  subintervals.  In  fact,  the  operators  Q]  and  H  commute. 

►  [E(P?Q)  a  (P;R)]  3  (Q;R) 

If  P  implies  Q  in  all  initial  subintervals  and  P  is  followed  by  R,  then  Q  is  followed 
by  R. 

►  =  <P(P,Q) 

The  operator  <$>  commutes  with  the  left  of  semicolon. 

The  yields  operator 

It  is  often  desirable  to  say  that  within  an  interval  s0. . .  an  whenever  some 
formula  tt>i  is  true  in  any  initial  subinterval  sq.  . . then  another  formula  w?  is 
true  in  the  corresponding  terminal  interval  s<. .  sn  for  any  t,  0  £  t  £  n.  We  say 
that  u?i  yields  w 2  and  denote  this  by  the  formula  u>i  -s,  iu2: 

W2I  =  true 

iff  =  true  implies  -M#i...,,,([«/2|  =  true,  for  all  0  £  t  £  n 

The  yields  operator  can  be  viewed  as  ensuring  that  no  counterexample  of  the  form 
10 1;  -"u>2  exists  in  the  interval: 

(u>i  w2)  =d«r  ■’(toipwa) 

This  is  similar  to  interpreting  the  implication  wi  3  w2  as  the  formula  ~iwi  a  -m^). 
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Examples: 

Concept 

After  P,  both  Q  and  R  are  true 
After  P,  Q  yields  R 
P  always  yields  Q 
After  P  and  Q,  R  is  false 

Properties: 

b  {[P,Q\~*R)  =  (P~*[Q~*R\) 

The  formula  P‘,  Q  yields  R  exactly  if  after  P  is  true,  Q  yields  R.  This  is  analogous 
to  the  propositional  tautology 

»-  |(P  A  Q)  3  R]  m  IP  O  (Q  3  it)] 

K  false  P 

After  false,  anything  can  happen.  Since  false  never  occurs,  this  is  a  vacuous 
assertion. 

When  combined  with  other  temporal  operators,  yield  exhibits  a  number  of 
interesting  properties  based  on  the  underlying  behavior  of  semicolon.  Here  are 
some  examples: 

H  0?  =  (true  P) 

The  proposition  P  is  true  in  all  terminal  subintervals  exactly  if  P  is  true  after  any 
initial  subinterval  satisfying  true. 

b  (P  E  Q)  =  ($  P  Q) 

After  P,  Q  is  true  in  all  terminal  subintervals  iff  the  result  of  P  being  true  in  some 
initial  subinterval  yields  Q. 

b  {P^»mQ)  =  m(P  q) 

After  any  initial  subinterval  where  P  is  true,  the  formula  (3  Q  results  iff  in  all  initial 
subintervals,  P  yields  Q. 


Formula 

P  (Q  a  R) 

P  '■'■>>  (Q  '—■>  R) 
0(P  Q) 

(P  a  {-R) 
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Temporal  length 

The  construct  empty  checks  whether  an  interval  has  length  0: 

•M*o...««IeThPtyI  =  true  *ff  n  =  0 

Similarly,  the  construct  skip  checks  whether  the  interval’s  length  is  exactly  1: 

[sfcipj  =  true  iff  n  =  1 
These  operators  are  expressible  as  shown  below: 

empty  =def  "•  O  true 
skip  =def  O  empty 

Combinations  of  the  operators  skip  and  semicolon  can  be  used  to  test  for  intervals 
of  some  fixed  length.  For  example,  the  formula 

skip\  skip;  skip 

is  true  exactly  for  intervals  of  length  3.  Alternatively,  the  connective  next  suffices: 

O  O  O  empty 


Examples: 


Concept 

After  two  units  of  time,  P  holds 
P  is  true  in  some  unit  subinterval 


Formula 
skip;  skip;  P 
❖(atop  a  P) 


Properties: 

*  ♦  empty 

Eventually  time  runs  out  because  intervals  are  finite. 
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l»  ( skip.P )  m  OF 

The  operators  skip  and  semicolon  can  be  used  instead  of  next, 
h  [empty,  P)  s  P 

The  construct  empty  disappears  on  the  left  of  semicolon.  An  analogous  theorem 
applies  to  the  right  of  semicolon  as  well. 

Initial  and  final  states 

The  construct  beg  vi  tests  if  the  formula  w  is  true  in  an  interval’s  starting  state: 

3S  A<<0|M| 

The  connective  beg  can  be  expressed  as  follows: 

beg  w  =dcf  ❖  (empty  a  w) 

This  checks  that  w  holds  for  an  initial  subinterval  of  length  0,  t.e.,  the  interval’s 
first  state.  By  analogy,  the  final  state  can  be  examined  by  the  operator  fin  w: 

fin ru  =d«f  ❖(empty  a  vi) 

This  checks  that  vi  holds  for  a  terminal  subinterval  of  length  0,  t.e.,  the  interval’s 
final  state.  The  construct  beg  corresponds  directly  to  the  construct  f  in  the  process 
logic  of  Harel  et  al.  [20].  Similarly,  fin  corresponds  to  the  process  logic’s  construct 
last. 

Examples: 

Concept  Formula 

If  P  is  initially  true,  it  ends  true  beg  P  3  finP 
P  and  Q  end  true  fin[P  a  Q) 
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I 

t 


I 


Properties: 


*  begP  =  -'beg(~‘P) 

P  is  true  in  the  first  state  iff  -’P  is  not. 

h  fin(P  v  Q)  =  \finP  v  finQ\ 

The  logical-or  of  P  and  Q  ends  up  true  exactly  if  either  P  ends  true  or  Q  ends  true. 
The  operators  halt  and  keep 


Various  other  useful  operators  can  be  expressed  in  propositional  ITL.  For 
example,  the  construct  halt  w  is  true  for  intervals  that  terminate  the  first  time  the 
formula  10  is  true: 

halt  w  =d„f  C3(tw  =  empty ) 

Thus  halt  w  can  be  thought  of  as  forcing  an  interval  to  wait  until  w  occurs. 


The  construct  keep  w  is  true  if  the  formula  w  is  true  in  all  nonempty  terminal 
intervals: 


keep  w  Sjef  □(["'empty]  l>  w) 


§2.3  Propositional  ITL  with  Quantification 

It  is  very  useful  to  extend  propositional  ITL  to  permit  existential  and  universal 
quantification  over  variables.  In  order  for  quantification  to  properly  work,  we  require 
that  E,  the  model’s  set  of  states,  be  varied  enough  so  that  any  possible  combined 
behavior  of  variables  is  represented  by  some  interval.  More  precisely,  let  P  be  a 
propositional  variable,  so. •  .sw  be  an  interval  and  a(i,j)  be  a  function  mapping 
ordered  pairs  0  £  *  £  j  £  n  to  truth  values.  We  require  some  interval  Sq.  . .  s'n  exist 
such  that  Sj. . .  s'-  agrees  with  the  corresponding  subinterval  s(. . .  sy  on  assignments 
to  all  variables  with  the  exception  that  each  subinterval  sj. . .  s'-  gives  P  the  value 
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We  denote  the  interval  «{j. . .  as 

(*0>  •  •  *n)(^ / a) 

The  construct 

3 P.ts 

represents  existential  quantification  and  has  the  semantics 

Ai,0...,wpP.  iuJ  =  true  iff  for  some  a,  ■M*'0...,i<nfu/j|  =  true, 
where  a{>. . .  a'n  =  (so-  •  •  sn)[P/a]* 

Universal  quantification  is  expressed  as  the  dual  of  existential  quantification: 

VP.  is  ~’3P.  -is 


Property: 

h  (-empty)  3  3P.  [begP  a  /i»(-P)] 

In  a  nonempty  interval,  a  variable  can  be  constructed  that  starts  true  and  ends 
false. 

The  until  operator 

Linear-time  temporal  logic  has  the  until  operator  tsi  U  u>a  which  is  true  in  an 
interval  if  the  formula  tsa  is  eventually  true  and  tsi  is  true  until  then: 

Jtsi  &u>2|  =  true  iff 

for  some  O^i^n  and  •M#>...,„|[tsiJ  for  all  0  ^  j  <  i 
We  can  express  until  as  follows: 

isillisa  3  P.[begP  a  □  {begPo  [ts2  v  (tsi  a  O&eyP)))] 

where  P  does  not  occur  free  in  isi  or  1S3.  In  essence,  P  is  initially  true  and 
inductively  remains  so  until  ts2  is  true. 
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Iteration 

An  interval  can  be  broken  np  into  an  arbitrary  number  of  successive  subinter¬ 
vals,  each  satisfying  some  formula  w.  We  can  use,  for  example,  the  construct  tw*  as 
an  abbreviation  for 

W]W,W 

In  general,  we  abbreviate  repetition  by  induction: 

w°  =def  empty 
wt+l  ^dmt  w;  w* 

Thus,  for  the  case  of  »  =  0,  an  interval  so. . .  sn  satisfies  the  operator  exactly  if 
the  interval’s  length  is  0.  We  can  extend  propositional  ITL  to  include  the  Kleene 
closure  of  semicoton: 

*  true  *ff  a®  true,  for  some  t  £  0. 

Iteration  can  be  expressed  by  quantifying  over  a  variable  P  that  is  true  at  the 
end-points  of  the  steps: 

w*  =d«,r  3 P.{begP  a  Gl[6eyP  3  (empty  v  ♦[»  a  O  halt(beg jP)J)]) 

where  P  does  not  occur  free  in  w.  Other  constructs  such  as  while-loops  can  also  be 
expressed  within  ITL: 

while  P  do  Q  3<j.f  \(beg[P\  a  Q)*  a  /m(-\P)] 


Properties: 

N  P*  m  [P  a  --empty)* 

During  iteration,  each  step  can  be  assumed  to  have  length  t  1. 
►  false*  m  empty 

An  interval  in  which  false  is  iterated  must  be  empty. 
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§2.4  Some  Complexity  Results 

We  prove  that  satisfiability  for  arbitrary  formulas  in  propositional  ITL  is  un- 
decidable  but  demonstrate  the  decidability  of  a  useful  subset. 

Undecidability  of  propositional  ITL 

Theorem  (Halpern  and  Moszkowski):  Satisfiability  for  propositional  ITL  is  un- 
decidable. 

Proof :  Our  proof  is  very  similar  to  the  one  presented  by  Chandra  et  al.  [11]. 
for  showing  the  undecidability  of  satisfiability  for  a  propositional  process  logic. 
We  strengthen  their  result  since  we  do  not  require  programs  in  order  to  obtain 
undecidability. 

Given  two  context-free  grammars  G i  and  Gi,  we  can  construct  an  propositional 
ITL  formula  that  is  satisfiable  iff  the  intersection  of  the  languages  generated  by  G\ 
and  G?  is  nonempty.  Since  this  intersection  problem  is  undecidable  [22],  it  follows 
that  satisfiability  for  propositional  ITL  is  also. 

Without  lose  of  generality,  we  assume  that  G\  and  G 2  contain  no  e-productions, 
use  0  and  1  as  the  only  terminal  symbols  and  are  in  Greibach  normal  form  (that  is, 
the  right-hand  side  of  each  production  starts  with  a  terminal  symbol). 

For  a  given  an  interval  «<>.  ..sn  and  an  interpretation  M,  we  form  the  trace 
(P)  of  a  variable  P  by  observing  P’s  behavior  over  the  states  »o»  •  •  • » »«•  We 
define  a  as  follows: 

a  <p\  _  1°  =  faUe 

|l  if  M.JPJ  =  true 

cr.#.„.n(P)  =  o.#(P)...o.w(P) 

Suppose  that  G  is  a  context-free  grammar  consisting  of  a  list  x  of  m  production 
sets  *i, . . . , xm,  one  for  each  nonterminal  symbol  A*: 

*\  •'  M  -+  |  *12  |  •  •  •  |  *'l,|ir1| 

*2  :  M  -+  *21  I  *22  |  •  •  •  |  *2,|irt| 


:  A*»  *ml  |  lrm2  |  *  *  *  | 
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Let  L(G,Ai)  be  the  language  generated  by  G  with  A+  aa  the  start  symbol.  We 
give  a  translation  f(G,At)  into  ITL  such  that  an  interval  «o- . .  *n  satisfies  f(G,Ai) 
iff  P's  trace  in  so. . .  •„  is  in  HG,  A «): 

•o  ...•«*  HG,Ai)  iff  <r......„(P)  €!(<?,*).  (*) 


For  each  of  the  production  sets  r,,  the  associated  translation  /(*<)  is  the  ITL  formula 
B(A<  =  {/(va)  v  /(*«)  v  •••  v  /(*<, |„|)]) 

Each  production  string  i r,-,-  =*  Vy  V2. . .  Vjw<i|  has  the  translation 

f(Vx V2. . .  Vm)  -  /(Vi);  ***;  /(V2);  ship; . . .  s*tp;  /(V {,„,) 

where 

/( 0)  =  (-P  a  empty) 

/(l)  *  (P  a  empty) 

/(A<)  =  A,  ,  for  each  nonterminal  symbol  A* 

Recall  that  the  variable  P  determines  whether  a  state  maps  to  0  or  1.  In  order  to 
avoid  conflicts,  we  require  that  P  not  occur  in  the  grammar.  The  overall  translation 
f(G,Ai)  is 

Ai  A  /(*•) 


It  is  now  easy  to  show  (*)  by  induction  on  the  sise  of  the  interval  so. . .  sn.  We 
need  the  grammar  to  be  in  Greibach  normal  form  in  order  for  the  inductive  step  to 
go  through.  See  Chandra  et  al.  [11]  for  details. 

Given  two  context-free  grammars  G  i  and  G2  with  disjoint  sets  of  nonterminals 
and  respective  start  symbols  Si  and  S2,  the  ITL  formula 

f(Gi,Si)  a  /(Ga,Sa) 

is  satisfiable  iff  the  intersection  of  the  languages  UG\)  and  L(Ga)  is  nonempty. 
Because  this  emptiness  problem  is  undecidable  [22],  it  follows  that  satisfiability  in 
propositional  ITL  is  also.  | 
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Corollary :  Validity  for  propositional  ITL  is  undeeidable. 

Remark:  Undecidability  can  be  shown  to  hold  even  if  we  are  restricted  to  just 
using  empty  instead  of  skip.  To  do  this,  we  use  propositional  variables  P  and  Q.  We 
introduce  an  operator  group(P,  Q)  which  is  true  in  intervals  satisfying  the  formula 

(E  beg  Q);  skip-,  (E  beg[P  a  -,Q]);  skip;  (E  beg  Q) 

Such  intervals  are  in  effect  delimited  on  both  sides  by  states  with  Q  true  and  contain 
internal  states  with  P  a  -'Q  true.  Hence,  Q  acts  as  a  delimiter  around  a  group  of 
states  where  P  is  true.  The  following  is  a  sample  5-state  interval  «o. . .  s4  satisfying 
group[P ,  Q): 

8  o  *1  *2  *3  *4 

Q  P  P  Q  Q 

A  A 

Similarly,  group(^P,Q)  denotes  a  delimited  group  of  states  with  -P  true  in  the 
interior.  If  we  take  empty  as  a  primitive  operator,  the  operator  group  can  be 
expressed  without  the  use  of  next: 

group(P,Q)  ==def  [grp(P,Q)  a  ^(grp(P,Q);  grp(P,Q))] 

where  grp(P,  Q)  has  the  definition 

grp(P,Q )  =d«r  [beg  Q  a  fin  Q  a  H(6ey(P  a  v  Q)  a  ♦  begP\ 
Recall  that  beg  and  Jin  are  defined  using  empty  and  semicolon: 

beg  to  =d«r  ❖  (empty  a  to) 
fin  w  =d«r  ❖(empty  a  to) 

The  modified  translation  f  is  like  /  with  the  following  exceptions: 

f{ViV a-  •  •  Vm)  -  /'(Vi);  /'(V9); . . . ;  /'(Vm) 

/'(O)  —  group(-'P,  Q) 

/'(l)  -  group(P,Q) 

I 
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Decidability  of  a  subset  of  ITL 

In  local  ITL  (LITL),  we  restrict  each  variable  P  to  be  true  of  an  interval  so- . .  an 
iff  P  is  true  of  the  first  state  sq: 

W...JP1  =  *..M 

Theorem  (Haipern  and  Moszkowski):  Propositional  local  ITL  with  quantification 
is  decidable. 

Proof:  We  give  a  linear  translation  from  formulas  in  propositional  ITL  to  formulas 
in  a  temporal  logic  that  is  known  to  be  decidable.  This  is  the  quantified  propositional 
temporal  logic  (QPTL)  described  and  analyzed  in  Wolper  [50]  and  Wolper  et  al.  [51]. 
Formulas  are  built  from  propositional  variables  P,  Q,  ...  and  the  constructs 

-w  Wi  a  io2  O  w  0  w  3 P.  w 

where  w,  wi  and  tua  are  themselves  QPTL  formulas.  The  interpretation  of  variables 
and  formulas  is  identical  to  that  of  local  ITL  with  quantification.  The  particular 
QPTL  used  by  us  restricts  intervals  to  be  finite  and  is  known  as  weak  QPTL 
(WQPTL).  Weak  QPTL  can  express  such  constructs  as  ❖  w,  w\  U  w^,  and  empty. 
For  a  given  variable  P  and  local  ITL  formula  w,  we  now  give  a  translation  g{P,  w) 
which  is  true  of  an  interval  so. . .  sn  in  weak  QPTL  iff  the  variable  P  is  true  foV 
the  first  time  in  some  state  Sj  and  w  is  true  over  the  initial  interval  so. . .  s<.  Thus, 
g(P,  to)  is  semantically  like  the  ITL  formula 

Q([haltP)  a  to) 

Here  is  the  definition  of  g: 

g(p,Q)  =  (*P)aQ 

g(P,  -w)  =  tg(p> w)  a  *p) 

g{P,  [wi  a  u>a])  =  [g(P,wi)  a  g(P,  w2)] 

g{P,  O  to)  *  hP  a  O  g(P,  w)] 

f(pi t  wa])  *3R.[p(R,wi)  a  ([-P]I/[R  a  p(P,wa)])], 

where  JR  does  not  occur  free  in  either  t&i  or  u^. 

-3 Q.^P.w) 


rfJ>.3Q.w) 
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A  formula  w  in  local  ITL  has  the  same  semantics  as  g( empty,  w)  in  weak  QPTL: 
«o-  •  •  «n  Nlitl  w  iff  *o-  •  •  *«  Kvqptl  g(  empty,  w) 

Wolper  [50]  and  Wolper  et  al.  [51]  show  that  the  theory  of  QPTL  over  infinite 
intervals  is  decidable  but  nonelementary;  this  result  easily  extends  to  weak  QPTL. 
The  complexity  is  elementary  in  the  alternation  of  ->  and  3.  | 

Remark:  The  translation  can  be  extended  to  handle  local  ITL  over  infinite  inter¬ 
vals.  | 

Lower  bound  for  satisfiability 

The  decision  procedure  just  given  is  essentially  the  best  that  ran  be  done  since 
D.  Kozen  (private  communication)  has  proved  the  following  theorem: 

Theorem  (Kozen):  Satisfiability  for  propositional  local  ITL  is  nonelementary. 

Proof :  Stockmeyer  [44]  shows  that  the  problem  of  deciding  the  emptiness  of  an 
arbitrary  regular  expression  over  the  alphabet  {0, 1}  and  with  operators  +,  •  and  -> 
is  nonelementary.  Given  a  regular  expression  e,  we  construct  an  ITL  formula  h(e) 
which  is  satisfiable  iff  the  language  generated  by  e  is  nonempty.  The  definition  of 
h  given  by  induction  on  the  syntactic  structure  of  e: 

h(0)  =  {^P  a  empty) 
h(  1)  ~{JP  a  empty) 

+  «a)  =  [h(«i)  v  h(«a)] 

*M  *  ”A(e) 

h(ei  •  ea)  =  [h(ej);  akip]  h(ea)} 

For  example,  the  translation  of  the  regular  expression  (01)  +  ->1  is 

[(■’P  a  empty)-,  akip]  (P  a  empty)]  v  -(P  a  empty) 

Note  that  the  length  of  h(e)  is  linear  in  that  of  e. 

A  formal  proof  relating  nonemptiness  of  a  regular  expression  e  and  satisfiability 
of  the  ITL  formula  h(e)  would  use  a  straightforward  induction  of  the  syntactic 
structure  of  e.  | 
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Remark:  We  can  show  nonelementary  complexity  even  with  the  operator  empty 
instead  of  skip.  We  use  a  modified  translation  h!  defined  as  follows: 

V(0)  =  group(P,Q) 

V(l)  =  group(^P,Q) 

/»'(«!  +  e9)  =  [hf(ei)  v  h'(e9)J 
f*'M  -  -h'(e) 

h!{e iea)  =  [h'(ex);  flfcp;h'(e9)] 


Again,  the  language  L(e)  generated  by  e  is  nonempty  iff  h'(c)  is  satisfiable.  B 


Chapter  3 


FIRST-ORDER  INTERVAL  TEMPORAL  LOGIC 

I 

\ 

j  §3.1  The  Basic  Formalism 

We  now  give  the  syntax  and  semantics  of  first-order  ITL.  This  subsequently 

serves  as  our  hardware  description  language, 
i 

Syntax  of  expressions 

Expressions  and  formulas  are  built  inductively- as  follows: 

•  Individual  variables:  U,V, . . . 

|  •  Functions:  /(e  i, . . . ,  e *),  where  k  >  0  and  ei, . . . ,  e*  are  expressions.  In  practice, 

j  we  use  functions  such  as  +  and  v  (bit-or).  Constants  like  0  and  1  are  treated  as 

|  zero-place  functions. 

I 

Syntax  of  formulas 

1  j 

I* 

•  Predicates:  p(e i, . . . ,  e*),  where  k  £  0  and  ej, . . . ,  e*  are  expressions.  Predicates 
f  include  1  and  other  basic  relations. 

i  •  Equality:  ei=ea,  where  ei  and  eg  are  expressions. 


•  Logical  connectives:  -'to  and  toj  a  toa,  where  to,  toi  and  toa  are  formulas. 

•  Existential  quantification:  3V.  to,  where  V  is  a  variable  and  to  is  a  formula. 


r 
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•  Next:  O  w,  where  w  is  a  formula. 

•  Semicolon:  vji‘,W2,  where  u>i  and  w%  are  formulas. 


Models 

A  model  consists  of  a  set  of  states  E  =  {s,  t, . . .  }  and  domain  D  together  with 
an  interpretation  At  mapping  each  variable  V  and  interval  8q.  . .  an  to  some  value 
M  in  D.  Furthermore,  each  function  and  predicate  symbol  is  given  some 
meaning.  As  in  propositional  ITL,  for  quantification  to  properly  work,  there  must 
be  some  interval  for  every  possible  behavior  of  variables.  Each  /c- place  function 
symbol  /  has  an  interpretation  M|{/||  which  is  a  function  mapping  k  elements  in  D 
to  a  single  value: 

Mf/fl  €  (Dk  -  D) 

Interpretations  of  predicate  symbols  are  similar  but  map  to  truth  values: 

■MflpjJ  G  (Dk  — *•  {true,  false}) 

The  semantics  given  here  keep  the  interpretations  of  function  and  predicate  symbols 
independent  of  intervals  and  thus  time- invariant.  The  semantics  can  however  be 
extended  to  allow  for  functions  and  predicates  that  take  into  account  the  dynamic 
behavior  of  parameters. 

Interpretation  of  expressions  and  formulas 

We  now  extend  the  interpretation  M  to  arbitrary  expressions  and  formulas: 

•  ■M«„...*w|I/(ei> . . . ,  €fc)J  =  •M|/!(.Mjo...«„Ieil» . . . ,  M,0...,„|[efc|), 

The  interpretation  of  the  function  symbol  /  is  applied  to  the  interpretations  of 
*!#•••* 

•  •  •  •  >®k)|  *  M IpI(X.....«„ I«i|, . . . f  X 

•  «s|  =  true  iff  =  X,0...,Je2J 

•  X,,...,.  iff  “/ol»e 
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•  Ati>2J  *  true  iff  *=  true 

•  ■W»«...«,|3Vr.  u/J  =  true  iff  for  some  a,  <M«'#...«^Ju;J  =  true, 

where  tf0. . .  afn  =  (a0.  . .  sn)[V/a]  end  the  function  a(t,  /)  maps  pairs  0  $  j  <  j  S 
n  to  values  in  the  data  domain  D. 

•  -M JO  ui|  —  true  iff  n  £  1  and  At#l...,n|[u;]|  =  true 

•  =  true  iff  M,0...S{ =  true  and  Ju>2|  =  true, 

for  some  t,  0  <  i  <  n. 

Satisfiability  and  validity  of  formulas  are  as  in  the  propositional  case.  All  the 
other  related  temporal  operators  mentioned  earlier  are  expressible  as  before.  If  the 
data  domain  D  includes  at  least  two  values,  the  iterative  construct  w*  can  also  be 
expressed. 

Arithmetic  domain 

We  will  assume  that  the  data  domain  D  contains  natural  numbers  as  well  as 
nested  finite  lists.  Both  0  and  1  serve  as  numbers  and  bits,  with  0  standing  for  low 
voltage  and  1  standing  for  high  voltage.  The  data  domain  does  not  contain  any 
intermediate  voltages  or  “undefined”  values.  We  permit  finite  sets  and  represent 
them  by  lists.  The  following  are  sample  values: 

0,  3,  (0),  {1,2},  (),  (6, 3,  (>,9),  (4,{3,2» 

We  adapt  the  convention  that  an  n-element  list  L  has  subscripts  ranging  from  0  on 
the  left  to  n  —  1  on  the  right: 

L  —  (LfO], . . . ,  L[n  —  1)),  where  n  =  |L| 

It  is  assumed  that  X  contains  standard  interpretations  of  function  and  predi¬ 
cate  symbols  such  as  +,  S  and  v  (bit-or).  We  also  include  conditional  expressions 
and  conventional  operators  for  constructing,  combining,  subscripting  and  determin¬ 
ing  the  length  of  finite  lists  and  sets. 
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The  unary  predicate  nat(U)  is  true  if  U’a  value  is  a  natural  number  (i.e., 
nonnegative  integer). 

flnoi(I7)]]  =  true  iff  M,0...,n  Jt/1  €  {0, 1,  2, ...  } 

Sometimes  we  use  the  predicate  time  instead  of  nat  when  the  associated  parameter 
is  used  as  a  time.  The  two  predicates  are  however  semantically  equivalent.  The 
predicate  bit  checks  if  a  value  is  either  0  or  1  and  the  predicate  positive  checks  for 
positive  integers  (that  is,  integers  >  1). 

Temporal  domain 

A  variable  V  i is  static  in  an  interval  sq.  . .  an  if  V  has  a  single  interpretation 
over  all  subintervals: 

***  an  o  < .  s  ;  <; « 

Just  as  nat  and  bit  look  at  the  type  of  a  value,  the  predicate  static  checks  that  its 
parameter  is  static  in  an  interval.  We  give  static  the  following  interpretation: 

= true 

iff  for  some  d  G  D,  for  all  0  <  t  <  j  <  n,  ~ 

Within  an  interval  *o. . .  an,  a  signal  has  a  unique  value  for  all  subintervals 
starting  with  a  given  state.  Thus,  signals  are  local  in  the  sense  of  LITL.  The 
predicate  signal(V)  is  true  iff  the  variable  V  behaves  as  a  signal.  We  define  signal 
as  foUows: 

signal(V)  =def  0  3U.  [stattc(I7)  a  0(V  =  {/)] 

The  predicate  Bit  checks  that  its  parameter  is  always  bit-valued: 

Bit(V)  =„.,  a  ut(v) 

j 

1  Naming  conventions  for  variables 

For  convenience,  we  will  associate  sorts  with  variables: 
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•  Interval  variable*:  A,M,X,... 

These  can  vary  in  value  from  interval  to  interval  and  are  also  known  as  non-local 
or  path  variables. 

•  Signal  variables:  A,N,Xt... 

Signal  variables  can  also  be  referred  to  as  local  or  state  variables. 

•  Static  variables:  a,n,x,. . . 

Static  variables  can  also  be  called  global  or  frame  variables.  All  static  variables 
are  signals. 

In  general,  variables  such  as  A,  B  and  c  range  over  all  elements  of  the  data 
domain  D.  On  the  other  hand,  J ,  K  and  n  range  over  natural  numbers.  The 
variables  X,  Y  and  z  always  equal  one  of  the  bit  values  0  and  1.  If  desired,  the 
naming  style  suggested  here  can  also  be  used  in  propositional  ITL. 

As  in  conventional  first-order  logic,  sort  information  can  always  be  made  ex¬ 
plicit.  For  example,  a  formula  V6.  w  containing  a  static  variable  6  is  equivalent  to 
the  formula 

W.  [static(V)  3  wX ] 

where  the  formula  wX  results  from  replacing  all  free  occurrences  of  6  in  w  by  the 
sort-free  variable  V. 

§3.2  Some  First-Order  Temporal  Concepts 

Within  the  framework  of  first-order  temporal  logic,  we  can  explore  a  variety 
of  qualitative  and  quantitative  timing  issues.  The  constructs  given  below  are  useful 
for  describing  and  reasoning  about  circuits. 

Temporal  assignment 

The  formula  A  -*  B  is  true  for  an  interval  if  the  signal  A’s  initial  value  equals 
fl’s  final  value: 


A  -*  B  Sdif  Vc.  [beg(A  =*  c)  3  fin(B  *  e)] 


CHAPTER  3— FIRST-ORDER  INTERVAL  TEMPORAL  LOGIC 

We  call  this  temporal  assignment.  Unlike  in  conventional  programming  languages, 
it  is  perfectly  acceptable  to  have  an  arbitrary  expression  on  the  receiving  end  of 
the  arrow.  Furthermore,  temporal  assignment  only  affects  variables  explicitly  men¬ 
tioned;  the  values  of  other  variables  do  not  necessarily  remain  fixed.  Incidentally, 
because  the  variables  A  and  e  are  signals,  the  subformuia  beg(A  —  e)  used  in  the 
definition  could  be  replaced  by  A  —  c. 

Examples : 


Concept 

Z  gets  the  initial  value  of  -Y 
I  doubles 

M  4-  N  doesn’t  change 
A  and  B  swap  values 


Formula 
("Y)  -  Z 
2 1 I 

{M  +  N)->(M  +  N) 
(A-+  B)  a  [B-*A) 


As  noted  above,  temporal  assignment  specifies  nothing  about  the  behavior  of 
those  variables  that  are  not  referenced.  Thus,  the  formulas 

[(/  +  2)  -+  J] 

and 

[(/  +  2)-./|  A  [/-/) 

are  not  equivalent. 

Properties: 

►  a  a 

A  static  variable's  initial  and  final  values  agree. 
k  [(A  -  5);  {B  -  C)j  3  (A-C) 

If  B  gets  A’s  value  and  then  C  gets  B' »,  the  net  result  is  that  C  gets  A’s  initial 
value. 


►  empty  o  (A-*  ') 
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In  an  empty  interval,  the  first  and  last  states  are  identical.  Therefore,  a  variable's 
initial  and  final  values  agree. 

c  (A  -.  B)  =  [M  -  /(B)] 

If  A  is  assigned  to  B,  then  any  time- invariant  function  application  /(A)  is  passed 
to  f(B). 

►  [(-z  -+  zy.i-z  ->  z)]  i  (z-»z) 

If  a  bit  signal  is  twice  complemented,  it  ends  up  with  its  original  value. 

Temporal  equality 

Two  signals  A  and  B  are  temporally  equal  in  an  interval  if  they  have  the  same 
values  in  all  states.  This  is  written  A  w  B  and  differs  from  constructs  for  initial 
and  terminal  equality,  which  only  examine  signals’  values  at  the  extremes  of  the 
interval: 

A  B  =def  S(A  =  B) 

Because  A  and  B  are  signals,  the  formula  Aw  B  can  also  be  expressed  using  the 
linear- time  temporal  operator  01: 

¥  A  w  B  =  C3(A  =  B ) 


Examples: 


Concept 

The  signal  A  is  0  throughout  the  interval 
The  bit-and  of  X  and  Y  everywhere  equals  0 
X  agrees  everywhere  with  the  complement  of  Y 


Formula 
Aw  0 

(x  a  r)«o 

X  w  -Y 


Property: 

►  [(A,  B)  w  {A'.F}]  m  (A  w  A!  a  B  w  ff) 

The  pair  (A,  B)  temporally  equals  (A',  B)  exactly  if  the  signal  A  temporally  equals 
A'  and  B  temporally  equals  B. 
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Temporal  stability 

A  signal  A  is  stable  if  it  has  a  fixed  value.  The  notation  used  is  stb  A  and  can 
be  expressed  as  shown  below: 

stb  A  Sdef  36.  (A  sa  b) 

It  follows  from  this  that  every  static  variable  is  stable. 

Properties: 

h  stbX  s  [X  0  v  X  1] 

A  bit  signal  X  is  stable  iff  it  is  always  0  or  always  1. 

h  stb(A,B)  =  [stb  A  a  stb  B\ 

A  pair  is  stable  exactly  if  the  two  individual  signals  are. 

Iteration 

The  propositional  constructs  tv*  and  while  u/j  do  tva  can  be  expressed  as  in 
propositional  ITL  with  quantification.  We  can  also  augment  the  first-order  logic 
with  iteration  of  the  form  tv*  where  tv  is  a  formula  and  e  is  an  arithmetic  expression. 
We  first  define  the  construct  cycle *  tv  which  iterates  tv  the  number  of  times  specified 
by  e: 


cycle*  tv  zar  37.  [beg(I  *  e)  a  while  (I  jL  0)  do  (tv  a  [/  —  1  — ►  /])] 

where  the  quantified  variable  I  does  not  occur  free  in  e  or  tv.  We  initially  set  /  to  e 
and  then  decrement  /  by  1  over  each  iteration.  The  semantics  of  cycle  are  such  that 
the  individual  iterations  of  tv  take  at  least  one  unit  of  time  since  I  cannot  decrease 
in  an  empty  interval.  Thus  the  formulas 

cycle *  w 


and 


cycle* (w  a  -‘empty) 
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are  semantically  equivalent. 

In  order  for  the  formula  to*  to  permit  possibly  empty  steps,  we  define  it  as 
follows: 

to*  =dcr  cycle*  w  v  3 *,  j.(i  +  j  <e  a  [(cyc/e’to);  (to  a  empty)-,  (cycle* to)]) 

where  the  static  variables  i  and  j  do  not  occur  free  in  to  or  e.  By  introducing  extra 
quantified  variables  that  always  equal  to  and  e,  we  can  modify  this  definition  to  be 
linear  in  the  size  of  to  and  e. 

Examples: 


Concept 

Z  is  complemented  n  times 
N  doubles  some  number  of  times 
I  keeps  halving  itself 
While  construct 


Formula 
[pZ  —  Z)n 
(2 N  -+  N)* 

while  (I  <  n)  do  (I  +  1  —*■  I) 


Properties: 

►  (/(A)  -A)’  3  [/3(A)  -*  A] 

After  a  series  of  three  applications  of  /,  A  ends  up  with  the  initial  value  of  /S(A), 
where  /3(A)  =  /(/(/(A))). 

>*  ([/  +  1  -J]m)n  3  ((/  +  mn|-4/) 

This  property  illustrates  how  to  nest  iteration. 

Measuring  the  length  of  an  interval 


We  will  view  the  formula 
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as  an  abbreviation  for  the  iterative  construct 

sib ** 

This  is  true  exactly  of  intervals  with  length  t.  The  construct  len  >  e  expands  to 

3i  £  e.  (ien  =  t) 

We  can  similarly  use  formulas  such  as  len  <  e. 

Alternatively,  we  can  introduce  len  as  an  interpreted  0- place  temporal  function 
whose  value  for  any  interval  sq.  . .  *n  equals  the  length  n: 

=  n 


Examples: 


Concept 

The  signal  A  is  stable  and  the  interval  has  >  m  +n  units 
In  some  subinterval  of  length  >  m,  X  is  stable 
/  doubles  in  <,  I  steps 


Formula 

stbA  a  ( len  £  m  +  n) 
❖  ([/en  >  m]  a  stbX) 
(21  — +  /)  a  (len  <S  /) 


Properties: 

b  empty  =  (len  =  0) 

The  predicate  empty  is  true  exactly  if  the  interval  has  length  0. 
b  skip  =  (len  —  1} 

The  predicate  skip  is  true  if  the  interval  has  length  exactly  1.  Since  time  is  discrete, 
this  is  the  minimum  nonsero  width. 


b  (len  —  m  +  n)  m  [(len  ®  m);(/en  **  n)] 

An  interval  of  length  m+n  can  be  subdivided  into  two  adjacent  intervals  of  lengths 
m  and  n.  The  converse  is  also  true. 
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Expressions  based  on  next 

We  extend  the  operator  next  to  handle  expressions.  The  construct  O  e  for  an 
interval  s0-  •  •  *n  equals  the  value  of  the  expression  e  in  the  subinterval  S|. . .  sn: 

■M*o...j„UO  e]|  =  «M*1...«„|[«| 

If  the  length  of  the  interval  is  0,  the  resulting  value  is  left  unspecified.  The  following 
natural  extension  of  next  facilitates  looking  at  values  some  specified  number  of  units 
in  the  future: 

e2\  —  Je2l|,  where  i  =  M„...-n|ei| 

This  definition  results  in  the  following  properties: 

►  0°e  =  e 

H  O1  e  =  O  e 

We  can  analogously  permit  formulas  of  the  form  O*  to,  where  to  is  itself  a  formula 
and  e  is  an  expression. 

We  now  show  how  to  eliminate  these  constructs.  The  formula  O*  to  abbreviates 

3t.  ((*  —  ej  A  [(/en  =  t);  to]), 

where  t  does  not  occur  free  in  to  or  e.  A  formula  of  the  form  A  =  Oe‘  e2  becomes 

3b.  [(0*l[6  =  ea])  a  (A  =  b)] 
where  6  does  not  occur  free  in  e\  or  e2. 

Initial  and  terminal  stability 

The  predicate  iatbm  A  is  true  for  an  interval  so. . .  sn  if  the  signal  A  is  stable  in 
the  initial  states  so-  •  •  *m-  The  next  definition  has  this  meaning: 

iatbm  A  =d„f  Q(atbA  a  len  =  m) 

Note  that  the  formula  is  false  on  an  interval  of  length  less  than  m.  By  analogy, 
tatbm  A  is  true  if  A  ends  up  stable  for  at  least  m  units  of  time: 

tatbmA  s=def  ♦(•tftA  a  len  =  m) 
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Property: 

b  istbm+n  A  3  iatbm  A 
The  time  factor  can  be  reduced. 

Blocking 

It  is  useful  to  specify  that  as  long  as  a  signal  A  remains  stable,  so  does  another 
signal  B.  We  say  that  A  blocks  B  and  write  this  as  A  blk  B.  The  predicate  blk  can 
be  expressed  using  the  temporal  formula 

AbUtB  =d.r  m(a<6  A  3  atb  B) 


Examples: 


Concept 

While  A  remains  stable,  so  do  B  and  C 
As  long  as  the  pair  (A,B)  is  stable,  so  is  C 


Formula 
A  blk  (B,C) 
(A,  B)  blk  C 


Properties: 

b  [A  blk  B  a  atb  A)  3  stbB 
If  A  blocks  B  and  A  is  stable,  then  so  is  B. 

b  [Ablk  B  a  B  blk  C]  3  AblkC 
Blocking  is  transitive. 

b  A  blk  (B,  C)  as  [A  blk  B  a  AblkC] 

The  signal  A  blocks  the  pair  (A,  B)  exactly  if  A  blocks  both  B  and  C.  This  and  the 
next  property  generalise  to  lists  of  arbitrary  length. 

b  (A, B)  blk  C  m  [AblkC  v  BblkC\ 

The  pair  (A,B)  blocks  C  iff  A  blocks  C  ok  B  blocks  C . 
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»  AblkB  o  (atbA<~>  A  blk  B) 

If  A  blocks  B,  then  after  A  is  stable  it  continues  to  block  B. 

The  predicate  A  blk  B  can  be  extended  to  allow  for  quantitative  timing.  When 
describing  the  behavior  of  digital  circuits,  it  is  often  useful  to  state  that  in  any 
initial  interval  where  A  remains  stable  up  to  within  the  last  m  units  of  time,  B  is 
stable  throughout: 

AblkmB  —det  □[(s^6  A;  len  <  m)  3  stb  B\ 

This  modification  has  utility  in  situations  where  B  is  known  to  be  slow  in  responding 
to  changes  in  A 

Properties: 

h  AblkB  =  A  blk0  B 

The  original  notation  is  equivalent  to  the  quantitative  one  with  blocking  factor  0. 

I-  [A  blkm  B  a  Bb1knC\  =>  A  blkm+n  C 
Transitivity  accumulates  blocking  factors.  Other  properties  of  the  predicate  blk  can 
also  be  extended  to  include  quantitative  timing. 

►  A  blkx  A  3  stbA 

If  a  signal  A  won’t  change  until  after  it  does  then  A  is  stable.  This  is  a  form  of 
induction  over  time.  The  converse  is  also  true. 

Rising  and  falling  signals 

A  rising  bit  signal  can  be  described  by  the  predicate  ]X: 

f*  =dor  [(X  «  0);  skip ;  (X  «  1)] 

This  says  that  X  is  0  for  a  while  and  then  jumps  to  1.  The  gap  of  quantum  length 
represented  by  the  test  skip  is  necessary  here  since  a  signal  cannot  be  0  and  1  at 
the  same  instant.  Falling  signals  are  analogously  described  by  the  construct  \X- 

IX  [(X  «  1);  skip-,  (X  «  0)] 
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Examples: 


Concept  Formula 

X  is  stable  and  Y  goes  up  atbX  a  ]Y 

The  bit-or  of  X  and  Y  falls  I(X  v  Y) 

In  every  subinterval  where  X  rises,  Y  falls  E(fX  3  IT) 
X  goes  up  and  then  back  down  fX;  [X 

X  twice  goes  up  and  down  (fX;  IX)2 


Properties: 

►  ax  a  r y)  3  [r(x  a  y)  a  t(x  v  r)] 

If  two  bit  signals  rise,  so  do  their  bit-and  and  bit-or. 

►  ■  t(-jf) 

A  bit  signal  falls  exactly  if  its  complement  rises. 

h  [TX  a  beg(Y  =  0)  a  (X  blk  X)]  3  f(X  v  Y) 

If  X  rises  and  in  addition  Y  initially  equals  0  and  depends  on  X,  then  the  bit-or  of 

X  and  Y  also  rises. 

These  operators  can  be  extended  to  include  quantitative  information  specifying 
minimum  periods  of  stability  before  and  after  the  transitions.  For  example,  timing 
details  can  be  added  to  the  operator  t: 

tfW,nX  Sjef  [(X  »0  a  lent  m);  skip ;  (X  1  a  lent  n)] 

This  can  also  be  expressed  as  shown  below: 

h  tm-nX  35  (fX  a  istbmX  A  tatbnX) 

Thus,  the  extended  form  of  f  can  be  reduced  to  the  original  one  with  separate 
details  concerning  initial  and  terminal  stability. 
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A  negative  pulse  with  quantitative  information  can  be  described  as  shown 
below: 

as 

[(*  w  1  a  /<n  2:  /);  skip; 

(X  fa  0  a  fen  >  m);  skip;  (X  fa  l  a  fen  >  n)] 

Positive  pulses  of  the  form  f  are  similarly  defined.  These  constructs  can  be 

further  modified  to  provide  for  noninstantaneous  rise  and  fall  times. 

Smoothness 

A  bit  signal  X  is  smooth  if  it  is  either  stable  or  has  a  single  transition.  The 
following  definition  illustrates  one  way  to  express  smoothness: 

smX  ==d*r  ( stbX  v|Xv  IX) 

The  next  property  gives  two  equivalent  ways  to  say  that  a  bit  signal  raises  or  falls: 
h  (TX  V  |X)  =  (smX  A  [-X-X]) 

Since  digital  devices  often  require  clock  inputs  to  be  smooth,  it  is  sometimes 
important  to  ensure  that  a  signal  has  this  property.  The  predicate  sm  can  be  ex¬ 
tended  to  include  quantitative  timing  details  similar  to  those  given  for  the  predicates 
t  and 

srnm,nX  ==def  ( smX  a  istbm X  a  tstbnX) 

The  notion  of  smoothness  generalizes  to  arbitrary  signals.  A  scalar-valued 
signal  A  is  smooth  if  it  is  either  stable  or  has  a  single  transition: 

smA  =def  [st6A  v  (stb  A;  skip;  stb  A)] 

A  list  L  is  inductively  defined  to  be  smooth  if  all  its  components  are  smooth: 

sm  L  Sdef  VO  £  *  <  |L|.  (sm  L[t]) 

The  individual  components  of  L  need  not  all  change  at  the  same  instant. 


Chapter  4 


DELAYS  AND  COMBINATIONAL  ELEMENTS 


Delay  is  a  fundamental  phenomenon  in  dynamic  systems  and  an  examination 
of  it  touches  upon  basic  issues  ranging  from  feedback  and  parallelism  to  implemen¬ 
tation  and  internal  device  states.  In  addition,  a  key  design  decision  in  building  any 
hardware  simulator  centers  around  the  treatment  of  delay.  For  example,  Breuer  and 
Friedman  [10]  and  Blunden  et  al.  [8]  present  a  number  of  models  of  propagation. 
For  these  and  other  reasons,  it  is  worth  taking  a  detailed  look  at  various  forms  of 
signal  propagation. 

§4.1  Unit  Delay 

One  of  the  simplest  and  most  important  types  of  delay  elements  can  be  modeled 
as  having  the  following  structure: 


Here  A  is  the  input  signal  and  B  is  the  associated  output.  The  following 
statement  uses  intervals  to  characterise  the  desired  behavior: 

In  every  subinterval  of  length  exactly  one  unit,  the  initial  value  of 
the  input  A  equals  the  final  value  of  the  output  B. 

The  next  predicate  del  formalises  this: 

A  del  B  Bd«r  G9[(ten  =  1)  3  (A  — ►  £)] 
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Properties 

b  (A  del  B )  =  {skip  a  [A  — ►  £))* 

Unit  delay  can  also  by  viewed  as  the  successive  iteration  of  atomic  assignments. 
This  suggests  how  to  implement  unit  delay  by  means  of  looping. 

►  (A  del  B )  m  keep(A  =  O  B) 

The  concept  of  unit  delay  can  be  expressed  in  semicolon-free  linear-time  temporal 
logic. 


b  {A  del  A)  s  stb  A 

If  a  signal  is  feed  back  to  itself,  it  is  stable.  The  converse  is  also  true. 

§4.2  Transport  Delay 

It  is  natural  to  extend  the  predicate  del  to  cover  delays  over  m-unit  intervals: 
A  delm  B  B(len  =  m  O  [A  — ►  J9|) 

Breuer  and  Friedman  [10]  refer  to  this  as  transport  delay. 

Properties; 

b  (A  del0  B)  m  (A  «  B) 

Zero  delay  is  equivalent  to  temporal  equality. 

b  Adel0  A 

A  signal  has  sero  delay  to  itself. 

b  (A  delm  B  a  B  del"  C)  d  A  d«/m+w  C 
Delay  is  cumulative. 

I-  (A,  B)  delm  (A',  B*)  s  (A  delm  A!  a  B  delm  ff) 

Delay  between  pairs  is  equivalent  to  component-wise  delay.  This  generalises  to  lists 
of  arbitrary  length. 
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§4.3  Functional  Delay 

Often,  one  signal  receives  a  delayed  function  of  another.  The  following  ex¬ 
amples  illustrate  this  and  are  based  on  the  predicate  del  although  the  other  delay 
models  later  presented  can  also  be  used. 

Examples: 


Concept 

X  keeps  on  being  complemented 
B  either  accepts  A  or  itself,  depending  on  X 
N  keeps  on  doubling 
A  receives  a  delayed  f(A,  B) 

I  keeps  decrementing  by  1 


Formula 
( -<X)delX  . 

[if  (X  —  1)  then  A  else  B]  del  B 
2 N  del  N 
f[A,  B)  del  A 
I  del  (J  +  1) 


Here  is  the  description  of  a  system  that  runs  the  variable  I  from  0  to  n  and 
simultaneously  sums  I  into  J: 

beg(I  sa  0  a  J  =  0)  a  [(/  +  1)  del  /]  a  [(/+/)  del  J\  a  halt(I  =  n) 


Properties: 

¥  [f(A)  delm  B  A  g[B)  deln  C]  o  g(f(A))  delm+n  C 

Functional  composition  applies. 

¥  (-*)  delmY  s  X  delm  (-Y) 

Bit  inversion  can  occur  either  on  the  input  or  output. 

¥  [(-X)  delm  Y  a  (-Y)  deln  Z]  o  X  delm+n  Z 
Two  inverters  cancel. 
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$4.4  Delay  Based  on  Shift  Register 

An  (m  +  l)-bit  vector  R  acting  as  a  shift  register  can  be  specified  as  follows: 
J?[0]  del  J2[l]  a  •  •  •  a  R[m  - 1]  del  J2[m] 

Over  each  unit  of  time,  the  contents  of  R  shift  right  by  one  element.  That  is, 
the  value  of  i?[0]  is  passed  to  J2[l]  and  so  forth.  This  description  is  more  formally 
expressed  by  means  of  quantification: 

V*  6  [0,  m  -  1].  (R[»]  del  J2[*  +  lj) 

The  next  formula  has  the  same  meaning  but  is  more  concise: 

12(0  to  m  —  lj  del  22(1  to  m], 

where  the  vector  i2(0  to  m  —  l]  by  definition  equals  (12(0], . . . ,  /2[m  —  1]). 

The  following  property  shows  how  to  achieve  an  nvunit  delay  by  means  of  such 
a  shift  register: 

W  f2(0  to  m  —  1]  del  R(1  to  m]  D  22(0]  def"  i2[m]  (*) 

This  suggests  an  implementation  of  A  delm  B  of  the  form  A  ahdel Jj  B: 

A  ahdel  %  B  (A  »  22  [0]  a  f?[m]  a  22(0  tom  —  1]  del  i2(l  to  m]) 

Here,  the  value  of  A  is  fed  into  22  [0]  and  B  receives  the  value  i2[m].  The  correctness 
of  this  implementation  is  given  by  the  following  property: 

►  A  ahdel  %  B  o  A  delm  B 

We  can  localise  R  in  the  formula  A  ahdel JJ  B  by  defining  a  variant  A  ahd*lm  B 
that  existentially  quantifies  over  R: 

A  ahdelm  B  mM  3 R.[(R:  aignalm+l)  a  (A  ahdel%  fl)] 
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Here  the  construct 

R:  aignalm+l 

constrains  R  to  being  a  vector  of  m  +  1  signals.  This  notation  will  be  described  in 
more  detail  in  the  next  chapter.  Note  that  R  is  assumed  to  exist  without  necessarily 
being  externally  visible  to  an  observer.  The  quantifier’s  effect  on  scoping  is  similar 
to  that  of  a  begin-block  in  a  conventional  block-structured  programming  language. 
We  call  A  shdelm  B  an  external  specification  of  the  implementation.  In  fact,  this 
is  logically  equivalent  to  the  basic  delay  predicate  A  delm  B  as  the  next  property 
states: 

h  Aahdelm  B  =  Adtlm  B 

Basically,  the  proof  that  shdel  implies  del  follows  from  the  property  (*)  given 
above.  The  converse  requires  demonstrating  that  some  R  exists.  Perhaps  the  easiest 
way  to  do  this  is  by  direct  construction.  At  each  instant  of  time,  the  values  of  the 
m  +  1  elements  of  R  can  be  those  of  the  next  m  + 1  values  of  B  in  appropriate  order: 

A[t]  O’"'*  B,  for  0  £  t  £  m 

The  output  value  f2[m]  always  equals  the  expression  O0  B,  which  is  defined  to  be 
B’ s  current  value.  Similarly,  R[0]  always  equals  O m  B,  that  is,  the  value  B  will 
have  m  units  later.  This  technique  works  even  if  the  interval  has  length  less  than 
m. 


§4.5  Variable  Transport  Delay 

A  batch  of  delay  elements  may  have  varying  characteristics  although  each 
individual  device  is  rather  fixed  in  its  timing  behavior.  The  predicate  Avardelm,n  B 
specifies  that  A’s  value  is  propagated  to  £  by  transport  delay  with  some  uncertain 
factor  between  m  and  n: 

A  vardelm,n  B  =def  3*  €  [m,  nj.  (A  del*  B) 
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$4.6  Delay  with  Sampling 

Digital  circuits  often  require  that  inputs  remain  stable  and  be  sampled  for  some 
minimum  amount  of  time  in  order  to  ensure  proper  device  operation.  The  delay 
model  A  aadel  B  has  this  characteristic: 

AaadelmB  =d«r  0[(af6  A  a  ten  ^  m)  3  fin(A  =  B) J 

Here  the  input  A  must  be  stable  at  least  m  units  of  time  for  the  output  B  to  equal 
A.  Behavior  during  changes  in  A  is  left  unspecified.  The  properties  below  illustrate 
two  other  ways  of  expressing  aadel.  We  present  them  to  demonstrate  other  possible 
styles: 

b  AaadelmB  =  B(tatbmA  3  fin(A=*B)) 

H  A  aadelm  B  =  [f«f4m  A  -  heg(A  =  B)] 

Propertiea: 

b  A  delm  B  3  AaadelmB 
Basic  delay  implements  sampling-time  delay. 

b  A  aadelm  B  m  (Utbm  A  -a-  [beg(A  -  B)  a  A  blk  B\) 

Once  the  device  stabilises,  the  input  A  blocks  the  output  B. 

The  predicate  aadel  can  be  extended  to  associate  some  factor  with  the  blocking 
of  B  by  A: 

A  aadelm,n  B  sd.r  (tstbmA  [btg{A  —  B)  a  A  blkn  B)) 

In  a  sense,  m  is  the  maximum  delay  and  n  is  the  minimum  delay. 

$4.7  An  Equivalent  Delay  Model  with  an  Internal  State 

A  related  delay  model  Arids/*  "£  is  baaed  on  a  bit  flag  X  that  is  set  to  I  after 
tilt  input  A  has  been  held  stable  m  units.  Whenever  X  is  1,  the  input  A  equals  the 
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output  B  and  blocks  X,  which  in  turn  blocks  B  by  the  factor  n: 

A  stdelx’1*  B  Sjtf 

0([«<4  A  a  ten  S  m]  3  fin(X  =  1)) 
a  0(6eg(A  =  I)  3  [beg{A=  B)  a  AblkX  a  X  blkn  B]) 

In  the  manner  described  earlier,  we  internalize  X  by  existentially  quantifying  over 
it: 

A  atdelm,n  B  =  3X.  (A  atdel^'n  B) 

This  external  form  is  in  fact  logically  equivalent  to  A  aadelm,n  B: 

b  A  atdelm'n  B  =  A  aadelm’n  B 

The  following  construction  for  X  can  be  used: 

X  »  (*/  ( beg{A  =  B)  a  A  blkn  B\  then  1  else  0) 

The  right  hand  expression  is  not  a  signal  but  is  converted  to  one  as  outlined  in  the 
next  chapter. 

There  are  a  variety  of  specifications  that  use  different  internal  signals  such  as 
X  and  yet  are  externally  equivalent. 

§4.8  Delay  with  Separate  Propagation  Times  for  0  and  1 

Sometimes  it  is  important  to  distinguish  between  the  propagation  times  for  0 
and  1.  The  following  variant  of  aadel  does  this  by  having  separate  timing  values 
for  the  two  cases.  The  delay’s  input  and  output  are  both  bit  signals. 

X  aadel01Tn,n  Y  =der 

B([X  »0a  tenimj  3  fin(X  =  Y )) 
a  0([A  1  a  ten  £  n]  3  fin[X  =  Y)) 


Property: 

b  X  aadei01m,n  Y  3  X  «oder*x(m’n)  Y 
The  separate  propagation  times  can  be  reduced  to  those  for  the  more  general  form 
of  sampling- time  delay  by  using  the  larger  of  the  two  parameters. 
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$4.9  Smooth  Delay  Elements 

It  is  possible  to  specify  that  between  times  when  the  delay  element  is  steady,  if 
the  input  changes  smoothly,  then  so  does  the  output.  We  call  such  a  device  a  smooth 
delay  element.  This  type  of  delay  has  utility  in  systems  that  must  propagate  clock 
signals  without  distortion.  Here  is  a  predicate  based  on  the  earlier  specification 
stdel : 

A  smdelx'n  B  =der 
A  atdelx'n  B 

a  £3([6ep(X  *  1)  a  fin(X  =  1)  a  smAJ  3  amB ) 

The  external  form  quantifies  over  X: 

A  amdelm,n  B  =d„f  3X.  [A  smde/£’n  B) 

$4.10  Delay  with  Tolerance  to  Noise 

Sometimes  it  is  important  to  consider  the  affects  of  transient  noise  during  signal 
changes.  A  signal  A  is  almost  smooth  with  factor  l  if  A  is  continuously  stable  all 
but  at  most  l  contiguous  units  of  time: 

stbAi(len  £  l );  stbA 

The  delay  model  toldel  is  similar  to  amdel  but  has  an  additional  timing  coefficient  l 
for  showing  how  almost  smooth  input  changes  result  in  smooth  output  transitions: 

A  toldelx’*’1  B  =d.f 
A  stdelx’n  B 

a  □[(fceppf  =  1)  a  fin(X  =  1)  a  [aii  A;  (len  <,  l);  atb  A])  3  amB\ 
From  this  we  can  obtain  the  external  form 

A  toldel"1'*'1  B 


The  predicate  amdsl  is  a  special  case  of  toldel  with  a  noise  tolerance  of  1  time  unit: 
N  A  amdelm,n  B  m  A  toUelm •*’1  B 


CHAPTER  4— DELAYS  AND  COMBINATIONAL  ELEMENTS 


§4.11  Gates  with  Input  and  Output  Delays 

One  might  specify  an  and-gate  with  both  input  and  output  delays  as  follows: 

(Ji C,X')»aandm’nY  ssM  3Z,Z'.[XtadelmZ  AX^ader#  a(Z  a  Z')aadelnY] 

Here  a  delay  exists  from  the  input  X  to  an  internal  signal  Z  and  another  delay 
exists  from  X'  to  Z' .  The  bit- and  of  Z  and  Z'  is  propagated  to  Y.  The  input 
delays  are  given  by  m  and  the  output  delay  by  n.  If  we  choose  to  ignore  input 
delays,  the  model  reduces  to  a  single  occurrence  of  aadel: 

K  (X,X')  aaand0’*  ~  (X  a  X^aadel'Y 

If  the  internal  propagation  is  modeled  by  transport  delay,  things  are  even 
simpler.  Here  is  an  and-gate  specified  i  1  this  manner: 

(X,X')  tandm’n  Y  3 Z,  Z'.  [X  delm  Z  a  X’  delm  Zf  a  (Z  a  Z')  del"  Y] 

The  predicate  tand  simplifies  even  if  the  internal  input  delay  m  is  not  sero: 

►  (X,X’)tandm’nY  SB  (X  A  X')  ddm+nY 

§4.12  High-Impedance 

Digital  devices  sometimes  use  the  phenomenon  of  high- impedance  as  a  decentral¬ 
ised  means  for  sharing  a  common  output  among  several  sources.  Each  source  has 
its  own  enabling  signal  which,  when  on,  causes  data  to  pass  to  the  output.  When 
the  enable  signal  is  off,  the  connection  "disconnects”  or  "floats.”  Pass  transistors 
in  MOS  semiconductor  technology  and  tri-state  drivers  in  TTL  exhibit  this  kind  of 
behavior.  See  Gschwind  and  McCluskey  [17]  or  Mead  and  Conway  [32]  for  details. 

The  predicate  A  paux  B  specifies  the  connection  of  the  signals  A  and  B  when 
the  bit  signal  X  is  1: 

Ap—XB  mM  IBpr-1)  3  (A-B)l 
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Thus  the  pair  of  devices 

(A  paaax  B)  a  (A'  poaa-,x  B) 

will  pass  the  signal  A  to  B  when  X  is  1  and  will  pass  the  signal  A'  to  B  when  X  is 
0.  The  following  formula  has  the  same  semantics: 

[if  [X  =  1]  then  A  else  A')  sa  B 

The  predicate  poaa  shows  that  the  key  feature  of  high  impedance  can  be  modeled 
in  ITL  without  the  introduction  of  extra  bit  values. 

Properties: 

h  ApoaaxB  =  B  poaax  A 
A  pass  transistor  is  commutative. 

►  [A poaa x  B  a  <JT  «  1)1  3  (A«  B) 

During  intervals  when  the  pass  transistor  is  enabled,  the  input  and  output  are  equal. 

►  [ApoaaxB  a  BpoaaYC]  o  Apoaa^x  AY^C 
Pass  transitor  behavior  is  transitive. 


Chapter  5 


ADDITIONAL  NOTATION 


This  chapter  introduces  some  useful  notation  that  we  need  before  looking  at 
more  complicated  devices. 

§5.1  Reverse  Subscripting 

Because  some  of  the  devices  we  present  deal  with  numbers  and  their  repre¬ 
sentation  as  bit  vectors,  it  is  convenient  to  occasionally  adapt  an  alternative  sub¬ 
scripting  order.  Subscripts  on  a  vector  V  =  (vq,  . . .  ,vn)  normally  range  from  0  on 
the  left  to  n  on  the  right.  The  construct  V[i]  follows  this  style.  However,  in  order  to 
simplify  reasoning  about  the  correspondence  between  a  bit  vector  and  its  numerical 
equivalent,  a  slightly  different  convention  is  sometimes  used.  The  alternative  nota¬ 
tion  V\t\  indexes  V  from  the  right  with  the  right-most  element  having  subscript  0. 
For  example: 


(l,0,5){d}-5,  <l,0,5Hl}~0,  (1,0,5}{2}-1 

t  t  t 


For  a  vector  V  and  i  j,  the  expression  V[iu>j)  forms  a  new  vector  out  of 
the  elements  indexed  from  i  down  to  /.  If  »  <  /,  the  empty  vector  is  returned.  For 

example, 

(0,lH0l.0|-{l),  (3, 1,0, !)(!..  2) -{) 
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§5.2  Conversion  from  Bit  Vectors  to  Integers 

The  function  rival  converts  a  bit  vector  to  its  unsigned  numerical  value.  For 
example, 

nval((0, 1, 1))  =  3,  nval((l,  1, 0, 0))  =  12 

The  following  definition  of  rival  can  be  used: 

nval(X)  =a*r  £  (2f  •*{»}) 

0s<<|*| 

§5.3  Tuples  and  Field  Names 

We  also  permit  composite  values  with  field  names.  For  example,  the  pair 

{X :  3,  Y":  4} 

has  one  element  accessed  by  the  field  X  and  another  by  accessed  by  Y.  A  given 
field  name  cannot  be  used  twice  in  a  tuple.  For  an  given  expression  e,  the  value  in 
field  X  can  be  referenced  to  as 

eX. 

Thus,  if  a  variable  A  equals  the  tuple  above,  the  value  of  A.X  +  A.Y  is  7.  Arbitrary 
nesting  of  such  references  is  permitted. 

Sometimes  it  is  desired  to  let  the  particular  field  selected  be  variable.  In  that 
case  we  use  field  names  such  as  ’  X  and  '  Y  which  can  be  used  like  numerical 
subscripts.  For  example,  the  expressions  A[’X]  and  AX  are  equivalent.  Thus, 
if  the  variable  6  equals  either  ’  X  or  ’  Y ,  the  expression  A[6]  equals  either  AX  or 
A.  Y.  Note  that  the  expression  A.b  is  not  equivalent  to  A[b]  but  rather  A[’  6).  Rather 
than  extend  the  data  domain,  We  view  each  field  name  as  representing  a  distinct 
numerical  constant.  Thus,  ’ X  might  stand  for  23.  We  view  a  construct  such  as 
’{A,  B}  as  an  abbreviation  for  the  set  {’  A,  ’  B}. 

§5.4  Types  for  Lists  and  Tuples 

Given  two  predicates  p  and  q,  we  form  the  predicate  p  x  q  which  is  true  for 
any  pair  whose  first  element  satisfies  p  and  whose  second  element  satisfies  q.  For 
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example,  the  formula 

(not  x  bit)((Z,  1)) 

is  true.  In  general,  we  write  such  a  test  as 

(3,1):  (not  x  bit) 

This  can  be  considered  an  abbreviation  for  the  formula 

|(3, 1)|  =  2  a  not((3, 1)[0])  a  6.t((3, 1>[1)) 
The  operator  x  extends  to  n- element  tuples: 


Pi  x  •  •  •  x  Pn, 

where  pi, . . .  ,p«  are  unary  predicates.  In  addition,  the  construct  pn  is  equivalent 
to  n  repetitions  of  p.  For  instance,  the  test 

a:  not3 

is  true  if  a  is  a  triple  of  natural  numbers. 

The  predicate  struct(Xi  :pi, . . . ,  Xn:pn)  checks  for  tuples  whose  elements  have 
field  names  . .  .,Xn  and  satisfy  the  respective  types  pi, . . .  ,pn.  For  example, 
the  predicate 

structpT:  nof,y:  Wt8) 

is  true  for  tuples  such  as 

(X:3,r:(l,0». 


$5.5  Temporal  Conversion 

Sometimes  a  formal  parameter  of  a  predicate  or  function  has  a  sort  that  is 
slightly  incompatible  with  that  of  the  corresponding  actual  parameter.  For  example, 
in  the  formula 

Adel"  B 
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the  signal  variable  N  is  in  a  place  requiring  a  static  delay  factor.  We  handle  this  by 
temporally  converting  the  occurrence  of  N  to  a  static  variable.  Thus,  the  formula 
just  given  is  considered  a  syntactic  abbreviation  for 

3*.  [(*  =  N)  a  (A  del *  B)j.. 


In  essence,  the  initial  value  of  N  is  used  as  the  delay  factor.  This  convention  cor¬ 
responds  to  the  technique  of  call- by-value  parameter  passing  in  standard  program¬ 
ming  languages.  The  formula 

A  B 


expands  to 


3C.  [m(C  =  B)  a  (A«*<7)J 


The  occurrence  of  the  interval  variable  B  is  replaced  by  a  signal  C  that  agrees  with 
B  in  all  terminal  subintervals. 


Chapter  6 


ADDERS 


In  many  computations  involving  arithmetic  operations,  it  is  advantageous  to 
directly  reason  about  numbers.  We  will  now  concentrate  on  addition.  To  express 
that  the  numerical  variable  I  always  equals  the  sum  of  J  and  K,  we  write  the 
temporal  formula 

If  there  is,  say,  a  unit  delay,  this  might  be  given  as  the  formula 

( J  +  K)  del  I 

Even  though  actual  computers  possess  only  finite  capacity,  it  is  quite  natural  to 
assume  an  unbounded  range  of  values.  When  finite  precision  must  be  accounted 
for,  modular  arithmetic  can  be  used.  For  example,  if  it  is  known  that  I,  J  and  K 
all  range  between  (X  and  2"  —  1,  then  we  can  represent  addition  in  the  manner  shown 
below: 

J  «((/  +  *■)  mod  2n] 

Such  descriptive  techniques  are  sufficient  for  many  purposes.  However,  in 
specifications  of  actual  digital  circuits  we  must  often  descend  to  the  level  where 
numbers  are  implemented  by  bit  vectors.  For  instance,  given  that  Ini,  In2  and 
Out  are  all  n-bit  vectors,  the  following  formula  specifies  that  Out  always  equals  the 
n-bit  sum  of  Ini  and  In3: 

nval(Ovt)  ((nvol(JnJ)  +  nval(ih2)]  mod 2*) 
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Bit  signals  for  carry-in  and  carry-out  can  be  included  in  the  manner  below: 

nval((Co)  ||  Out)  [nva/(lhl)  4-  nval(In2)  +  Ci\ 

The  list  operator  ||  appends  the  lists  (Co)  and  Out  together.  Since  the  carry-in  Ci 
is  a  single  bit  (i.e.,  0  or  1),  it  can  be  used  directly  in  arithmetic  expressions  without 
reference  to  rival . 

§6.1  Basic  Adder 

Let  us  now  consider  an  adder  specification  which  includes  some  timing  infor¬ 
mation  regarding  propagation  delay.  The  diagram  below  gives  the  device’s  various 
fields: 

Ini:  Bitn=* 

In2 :  Bit n  => 

Ci:  Bit-* 

n:  nat, 

(prd,  lot):  time 


=*Out:Bitn 
-*Co  :  Bit 


In  this  and  further  diagrams,  we  generally  use  a  single  arrow  (—*)  to  indicate  a  bit 
input  or  output  and  a  double  arrow  (■♦)  to  indicate  a  vector  signal.  The  variables 
at  the  bottom  of  the  diagram  are  static  and  usually  d»  .ermine  the  device's  site 
or  timing  coefficients.  Here,  prd  stands  for  the  adder's  proportion  delop  and  lot 
stands  for  the  adder’s  latency  or  blocking  factor.  The  temporal  specification  makes 
this  more  precise. 

Formal  specification  of  addition  circuit 

The  predicate  BatieAdder  formally  characterises  the  circuit’s  desired  structure 
and  behavior.  The  device’s  various  inputs,  outputs  and  timing  coefficients  are  rep¬ 
resented  as  fields  of  the  single  parameter  A.  For  example,  the  expression  A.  Oi  equals 
the  carry  input.  The  predicate’s  definition  makes  reference  to  other  predicates  given 
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later. 

BaaieAdder(A)  Sm 

BasicAdderStruc  ture(A) 

A  □  Add(A) 

The  predicate  Basic  Adder  Structure  presents  A’s  fields.  The  predicate  Add  gives  the 
control  sequencing  required  to  perforin  an  addition.  The  operator  □  indicates  that 
Add  must  be  true  in  all  subintervals. 

Definition  of  BaaicAdder  Structure : 

The  definition  below  of  BaaicAdder  Structure  contains  information  on  the  physi¬ 
cal  structure  of  the  adder.  Fields  starting  in  upper  case  represent  signals  while 
lower-case  ones  are  static.  Constructs  such  as  “%Inputs”  are  comments  included 
to  classify  the  various  circuit  fields.  For  example,  A.Inl  is  an  input  bit  vector.  The 
input  bit  vectors  Ini  and  In3  are  of  length  n  as  is  the  output  vector  Out  which 
yields  the  sum.  The  input  bit  Ci  determines  the  carry  input  and  Co  receives  the 
carry  output.  The  values  lot  and  prd  are  the  latency  and  propagation  times. 

BaaicAdderStructure(A )  =def 
Ax  *truct[ 

(Ini ,  In2):  Bitn ,  %  Inputs 

Ci:  Bit 

Out:  Bitn,  %Outputs 

Co:  Bit 

n:  not,  (prd,  lat):  time  ^Parameters 

] 


For  brevity,  the  prefix  UA”  is  omitted  when  a  field  is  referenced  below. 

Definition  of  Add: 

After  the  inputs  Ini,  In2  and  Ci  are  held  stable  long  enough,  the  combined 
numerical  value  of  the  outputs  Out  and  Co  equals  the  inputs*  numerical  sum.  hi 
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addition,  there  is  a  certain  amount  of  latency.  Recall  that  the  function  nval  converts 
a  bit  sequence  to  the  corresponding  numerical  value. 

Add(A)  =def 

(atb(Inl ,  In2,  Ci)  a  len  ^  prd) 

[nvaf  (( Co)  |J  Out)  =  (nvol(Inl)  4-  nval(In2)  +  Ci ) 
a  (Ini ,  In2,  Ci)  blktat  (Co,  Out)] 

It  is  possible  to  modify  the  predicate  BasicAdder  to  handle  other  combinational 
logic  elements  with  similar  timing  characteristics. 

Combining  two  adders 

Two  such  adders  can  be  used  to  build  a  bigger  one  by  appending  the  cor¬ 
responding  vector  inputs  and  outputs  and  using  the  carry-out  of  one  adder  as  the 
carry-in  of  the  other.  The  following  property  formally  expresses  this: 

h  [ BaaicAdder(A .)  a  BasicAdder(B)  a  (A.  Ci  pa  B.  Co)\  O  BaaicAdder(C) 

where  the  tuple  C  has  exactly  the  following  fields  and  connections  to  A  and  B : 


C.Inl 

pa 

A.Inl  ||  B.Inl 

C.In2 

pa 

A.In2  ||  B.In2 

a  a 

PS 

B.Ci 

C.Out 

Pa 

A.  Out  ||  B.  Out 

C.  Co 

pa 

A.  Co 

C.n 

as 

A.n  +  B.n 

C.lat 

S3S 

mm(A.lat,  B.lat) 

C.pti 

* 

A.prd  +  B.prd 

Hare  A  contains  the  moat  significant  bits  and  B  contains  the  least  significant  ones. 
The  operator  ||  appends  two  lists  together. 
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$6.2  Adder  with  Internal  Status  Bit 

An  adder  of  length  n  can  be  defined  to  include  an  internal  status  bit  in  the 
manner  of  the  delay  model  atdel.  Here  is  the  device  structure: 

Ini  :  Bit* 

In2  :  Bit * 

Ci :  Bit 

n,  prd,  lot 

The  specification  given  below  is  externally  equivalent  to  BtuicAdder. 

Definition  of  StatuaAdder: 


Statu* :  Bit 


\=>Out:Bit* 
•  Co:  Bit 


Statu*Adder(A)  =d«r 

Statu*AdderStructvre(A) 
a  □  Add(A) 

A  0  Steady(A) 


Definition  of  StatuaAdder  Structure: 


Statu*AdderStructure(A)  =d«r 
Ax  atruct  [ 

(Ini ,  In3):  Bit*,  Ci:  Bit 
Out :  Bit*,  Co:  Bit 
Statua:  Bit 

n:  not,  (lot,  prd):  time 

) 


%Inputa 
%  Outputs 
^Internal 
^Parameters 
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Definition  of  Add: 

After  tire  inputs  remain  stable  long  enough,  their  sum  is  propagated  to  the 
outputs  and  the  status  bit  equals  1. 

Add(A)  =def 

(atb(Inl ,  In2 ,  Ci)  a  ten  >  prd) 

D  fin([Statu3  =  1] 

A  [nva/((Co)  ||  Out)  =  nval(Inl)  +  nval(In2)  +  Ci]) 


Definition  of  Steady: 

Whenever  the  signal  Status  is  1,  there  is  a  certain  amount  of  blocking  from  the 
inputs  to  it  and  the  outputs. 

Steady(A)  =der 
beg(Status  —  1) 

3  [{Inl,In2,  Ci)  blk  Statu $  A  (Inl.InS,  Ci)  blkut  {Out,  Co)] 

§6.3  Adder  with  More  Detailed  Timing  Information 

Further  timing  details  can  be  accomodated  as  we  now  demonstrate.  Suppose 
each  input  has  its  own  propagation  time.  This  can  be  specified  as  follows: 

Definition  of  DetailedAdder : 


DetailedAdder(A .)  asdaf 

DetaUedAdderStrueture{A ) 
a  0  Add(A) 
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Definition  of  DetailedAdder Structure: 

In  this  adder,  there  is  a  separate  parameter  for  each  input’s  propagation  time. 

DetailedAdderStrueture(A)  =def 
A:  struet[ 

( Ini ,  In2 ):  Bitn,  Ci :  Bit  ^Inputs 

Out:  Bitn,  Co:  Bit  ^Outputs 

n:  nat,  ^Parameters 

prd:  ( Inl,In2 ,  Ci):  time, 
lot:  time 

] 

We  use  the  construct 

prd:  (Ini,  In2,  Ci):  time 

to  indicate  that  prd  has  three  subfields  accessible  as  prd.Inl,  prd.In2  and  prd.Ci. 


Definition  of  Add: 

Here  each  input  has  its  own  time  for  stabilizing. 

Add(A)  =d«r 

(t»tbrri  Inl  Ini  a  tub***’1"2  In2  a  Mb**  0*  Ci) 

''♦[nvo/({(7o)  j|  Out)  =  (nval(Inl)  +  nval(In2)  ■+•  Ci) 
A  (Ini ,  In2,  Ci)  bUeut  (Co,  Out)] 

The  sampling  requirements  can  also  be  given  in  a  less  redundant  form: 

V field  €  Vnl,In2,  Ci).  (tetb^4 A\field\) 

Recall  that  '{Ini,  In2,  Ci)  represents  the  set 


{' Ini,’ In2,’ d). 
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$6.4  Adder  with  Carry  Look-Ahead  Outputs 


Long  adders  usually  have  extra  control  signals  to  speed  up  the  propagation  of 
carry  bits.  One  technique  is  called  carry  look-ahead  (see  [17])  and  produces  sum  and 
carry  outputs  as  well  as  two  bit  signals  Gen  and  Prop.  The  structure  is  as  follows: 


Ini:  Bit"  => 
In2 :  Bitn=* 
Ci:  Bit—* 


=>  Out:  Bit” 
—*Co:  Bit 
- *Gen :  Bit 
-*Prop:  Bit 


n,  prd,  lat 

The  bit  signal  Gen  is  1  iff  the  result  of  adding  Ini  and  In2  will  generate  1  as  carry 
no  matter  what  the  carry  input  Ci  is.  The  bit  signal  Prop  is  1  iff  the  carry  input  Ci 
will  be  propagated  unchanged  to  the  carry  output  Co.  Because  both  Gen  and  Prop 
can  be  computed  without  the  carry  input,  they  need  not  wait  for  carry  rippling. 

Definition  of  CarryLookAheadAdder : 


CarryLookAheadAdder(A )  =d«f 
CLAAdderStructure(A) 

a  0  Add(A,  output),  for  output  €  ’{Out,  Co,  Gen, Prop} 
The  last  line  is  equivalent  to 

&Add(A,’0 ut)  a  0  Add(A,  ’  Co)  a  0  Add{A, •  Gen)  a  0  Add(A,’ Prop) 
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Definition  of  CLAAddsrStrueture : 


CLAAdderStructure(A)  m  <uf 
Ai  struct[ 

(Ini ,  In2):  Bit",  Ci.Bit 
Out:  Bitn,(Co,  Gen,  Prop):  Bit 
n:  not, 

prd:  (Out,  Co,  Gen,  Prop):  time, 
lot:  (Out,  Co,  Gen,  Prop):  time 

) 


%  Input* 
%Outputs 
%  Parameters 


The  specification  gives  various  propagation  and  latency  times  by  making  prd  and 
lot  each  have  a  subfield  for  every  output. 

The  function  inputs  shows  the  inputs  used  by  each  output: 


output 

inputs(A1  output) 

but 

( Ci,Inl,In2 ) 

Co 

( Ci,Inl,In2 ) 

Gen 

(Ini ,  In2) 

Prop 

(Ini ,  In2) 

As  noted  earlier,  the  generate  and  propagate  signals  can  be  computed  without 
reference  to  the  carry  input. 

Definition  of  Add: 

For  any  selected  output,  after  the  appropriate  input  fields  remain  stable  long 
enough,  the  device  satisfies  the  predicate  result  and  the  output  depends  on  its 
associated  inputs. 

Add(A,  output)  aa«r 

(stb  inputs(A,  output)  a  len  2:  prd[output]) 

~>[re*u/t(A,  output)  a  mputa(A,  output)  klk*  A(output)] 

where  *  ■»  lot[output]  and  the  predicate  result  has  the  following  definition: 

68 


CHAPTER  6— ADDERS 


output 

re$ult(A,  output) 

Out 

nval(Out)  =  (nval(Inl)  +  nval(In2)  +  Ci)  mod  2n 

Co 

Co  *  carry (n,  nval(Inl),  nval(In2),  Ci) 

Gen 

Gen  =  carry gen{n,  nval(Inl),  nval(In2)) 

Prop 

Prop  =  carryprop(n,  nval(Inl),  nval(Jn2)) 

The  functions  carry,  carry  gen  and  carryprop  compute  appropriate  values: 


carry(n,  j,  k,  ci)  ( j  +  k  +  ci)  -r  2" 

carrygen(n,  j,  k )  =def  if  (Vet  £  {0,  l}.  carry[n,  j,  k,  ci)  =  1)  then  1  else  0 
carryprop[n,  j ,  k)  */  (Vet  £  {0,  l}.  carry(n,j,  k,  ci)  —  ci)  then  1  eUe  0 

Both  carrygen  and  carryprop  can  be  simplified: 

carrygen[n,  j,  k)  =  if  (j  +  k  5:  2n)  then  1  else  0 

carryprop(n,  j ,  fc)  =  «/(/  +  fc  —  2n  —  1)  then  1  else  0 

Thus,  a  carry  is  generated  exactly  when  the  sum  of  the  two  numbers  j  and  k  exceeds 
the  capacity  of  n  bits.  Similarly,  the  incoming  carry  is  propagated  if  the  sum  of  j 
and  k  is  the  “borderline”  value  2n  —  X.  In  practice,  a  carry  look-ahead  adder  may 
output  Gen  and  Prop  in  complemented  form  as  the  signals  Gen  and  Prop. 

If  we  ignore  propagation  delay,  the  adder  has  the  following  behavior: 


V output  £  '{Out,  Co,  Gen,  Prop).  [E  result(A,  output)] 
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LATCHES 


A  latch  is  a  simple  memory  element  for  storing  and  maintaining  a  single  bit  of 
data.  The  two  inputs  S  and  R  determine  what  value  is  stored  with  S  standing  for 
Set  and  R  standing  for  Reset.  When  the  latch  is  steady,  the  outputs  Q  and  are 
complements.  Note  that  the  bar  in  “1?”  is  part  of  the  name  and  not  an  operator. 
Such  elements  are  among  the  simplest  storage  devices-  that  can  be  constructed 
out  of  TTL  gates  and  provide  a  basis  for  building  counters  and  other  sequential 
components. 

§7.1  Simple  Latch 

Here  is  one  possible  latch  specification: 

(S,fi)  tote/.”'"' (<?,$)  — d.f 

S[(S  «0  a  a  len  £  m) 

=  0  A  ^  =  1]  a  S  blkn  (Q,^f))] 

a  B[(S»1  a  R  w  0  a  len  ^  77i ) 

~*.(beg[Q  =  1  a  =  0]  a  R  blkn  (Q,-^))] 

For  example,  the  specification  states  that  after  S  is  1  and  R  is  0  for  at  least 
m  unite  of  time,  Q  equals  1,  If  equals  0  and  R  blocks  both  with  factor  n.  That 
is,  the  outputs  are  stable  as  long  as  R  remains  “inactive”  at  0,  independent  of  5’s 
behavior. 
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Such  a  latch  can  be  constructed  out  of  two  nor- gates  that  feed  back  to  one 
another: 

*  [-’(R  v  ■$)  sadelm,n  Q  a  -(5  v  Q)  aadelm‘n  a  n  2:  l] 

D  [(S,R)latch2m’n(Q,-Q)] 

For  example,  to  set  Q  to  1  and  ~Q  to  0,  we  keep  R  at  0  and  S  at  1.  After  m  units  of 
time,  ~Q  equals  0  and  after  2m  units  of  time,  Q  equals  1.  At  this  point  both  Q  and 
are  stable  as  long  as  R  remains  equal  to  0.  The  gates’  blocking  factor  n  must  be 
nonzero  in  order  to  achieve  a  feedback  loop  that  maintains  the  values  of  Q  and 

§7.2  Conventional  SR-Latch 

The  latch  specification  now  given  has  separate  parts  for  entering  and  main¬ 
taining  a  value  in  the  device.  The  following  sort  of  table  is  often  given  to  describe 
operation  for  various  input  values: 


S  R 

Q  ~Q 

1  0 

1  0 

0  1 

0  1 

0  0 

unchanged 

1  1 

unspecified 

For  example,  assuming  unit  delay,  the  behavior  of  Q  can  be  expressed  by  the  formula 
□  [skip  3  {[beg(S  =  R )  3  (5  -*■  Q)]  a  (6eg(S  =  0  a  R  =  0)  O  at6Q])] 

The  following  predicate  SRLatch  goes  into  more  details  on  timing. 


Definition  of  SRLatchStructure : 


The  latch  includes  the  internal  bit  flag  Status: 
SRLatckStructure(L)  =jef 


L:  struct[ 

(S,  R):  Bit 
(Q.tyBit 
Status:  Bit 
( prd ,  lat):  time 


%  Inputs 
%  Outputs 
^Internal 
%  Parameters 
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We  use  Status  to  indicate  when  the  device  is  steady. 

Definition  of  SRLateh: 

The  latch  can  be  set  to  1,  cleared  to  0,  disabled  or  kept  steady. 

SRLatch(L)  =def 

SRLatekStructure(L) 
a  0  Store{L,i),  for  t  £  {0, 1} 
a  0  Disable(L) 
a  0  Steady  (L) 

The  formula 

0  Store(L,i),  for  t  6  {0, 1} 

is  equivalent  to 

0  Store(L,  0)  a  0  Store(L,  1) 


Definition  of  Store: 

This  definition  uses  the  static  variable  t  to  determine  the  value  to  be  stored: 
Store{L,i)  sdef 

[(S  ss  *')  a  {R  -n)  a  ( len  >  prd)] 

3  fin[(Status  =  1)  a  (Q  =  »)] 

Alternatively  we  can  omit  i  by  using  a  formula  such  as 

[<tb(S,R)  a  kej(S  =  ->R)  a  (len  >  prd)]  3  ,/in[(Slotu«  =  1)  a  (Q  =*  S)] 

This  works  because  S  and  R  must  be  complements  when  setting  or  resetting  and  S 
matches  the  value  stored  in  Q. 

Definition  of  Disable: 

If  the  device  is  initially  steady  and  the  two  inputs  S  and  R  smoothly  become 
0  for  a  period  of  sufficient  length,  the  device  remains  steady  and  the  outputs  are 
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stable. 

Disable(L)  =d«f 

[6ep(Statu«  =  1)  a  am0,prd{S ,  R)  a  fin(S  =  0  a  R  =  0)] 
3  [fin(Statua  —  l)  a  atb(Q,~Q)] 


Definition  of  Steady: 

When  the  flag  Status  equals  1,  the  outputs  Q  and  ^  are  complements.  In 
addition,  the  flag  and  outputs  depend  on  the  two  inputs  S  and  R. 

Steady(L)  =def 

beg(Status  =  1) 

D  [beg(Q  =  -Q)  a  (S,R)  blk  Status  a  {, S,R )  blklat  (Q,~Q)] 


Constructing  an  SR- latch 

The  next  property  shows  how  the  first  latch  described  implements  a  conven¬ 
tional  SR-latch: 

>=  [(5,R)/afchm’n(Q,'$)]  3  SRLatch{L) 

where  the  tuple  L  has  exactly  the  following  fields  and  connections: 

L.S  «  5 
L.R  R 

L.Q  ss  Q 
saa  ~Q 
L.prd  =  m 
L.lat  —  n 

and  L. Status  is  constructed  as  follows: 

L.  Status 

if  (3*  €  {0, 1}.  [Q  =  t  a  =  -*  a  ( S ,  =  0  a  ({ 5 ,  i?)[tj)  blkn  (Q,  3>}])  then  1  else  0 

At  all  times,  L. Status  is  set  to  1  if  Q  and  7?  have  complementary  values  and  are 
blocked  by  S  if  Q  =  0  and  by  R  if  Q  —  1.  The  quantified  variable  t  is  used  to 
determine  the  values  of  Q  and  ~Q. 
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§7.3  Smooth  SR-Latch 

The  predicate  Store  in  the  specification  SRLateh  can  be  modified  to  include 
additional  details  regarding  smooth  transitions.  As  before,  Store  shows  how  to  enter 
0  or  1  into  the  latch.  In  addition,  if  the  status  bit  is  initially  1  and  the  inputs  S  and 
R  are  smooth,  the  outputs  are  also  smooth.  Notice  that  there  is  no  requirement 
that  Q  and  change  at  exactly  the  same  time. 

Store(L,  i)  =def 

[tstbprd{S,R)  a  fin[(S  =  t)  a  (jR  =  -'Oil 
D  [fin{Statua  =  1  a  Q  —  i) 

a  {[am{S,R)  a  beg{Statna  =  1)]  D  jm(Q,(J))] 

§7.4  D-Latch 

A  simple  D-latch  has  one  input  pin  to  selectively  enable  the  latch  to  accept  data 
and  another  to  indicate  the  actual  value  to  be  stored.  The  operation  corresponds 
roughly  to  the  following  table,  where  E  and  D  are  the  enable  and  data  inputs,  and 
Q  and  ~Q  are  the  outputs: 


E 

D 

Q 

1 

0 

0 

1 

1 

1 

l 

0 

0 

- 

unchanged 

When  E  is  held  active  at  1,  D’s  value  is  propagated  through  the  device  as  through 
a  delay  element.  When  E  is  0,  the  device  maintains  whatever  value  is  stored, 
independent  of  D.  The  formula  below  uses  unit-delay  to  describe  this: 

{if  [E  =  1]  then  (D,  *\D)  else  { Q ,  <?})  del  {Q,  (?) 

If  we  just  look  at  the  behavior  of  Q,  this  reduces  to 

{if  [E  =  1]  then  D  else  Q)  del  Q 

The  D-latch  is  also  referred  to  as  a  transparent  latch  because  when  E  is  enabled, 
the  input  data  passes  through  to  the  output. 
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Definition  of  DLateh: 

As  with  the  SR-latch,  the  specification  has  predicates  for  examining,  modifying 
and  disabling  the  device: 

DLatch(L)  =def 

DLatchStructure(L) 
a  0  Store(L) 

A  0  Disable(L) 
a  0  Steady(L) 


DLatchStructure(L)  =d«r 

L :  struct[ 

(E,D):  Bit 
{Q,~Q):Bit 
Status :  Bit 
(prd,  lot ):  time 


%Inputs 

%Outputs 

^Internal 

%Parameters 


Definition  of  Store: 

When  the  latch  is  enabled,  the  data  signal  D’ s  value  propagates  to  the  output 

Q. 

Store(L)  =def 

[( E  1)  a  stb  D  a  (len  >  prd)]  3  fin[(Status  =  1)  a  [Q  =  D)] 

Definition  of  Disable: 

If  the  enable  signal  drops  to  0  and  the  data  remains  stable,  the  latch  becomes 
disabled  and  retains  the  value  it  was  set  to. 

Disable(L)  =d,r 

[j° 'pr*E  a  stb  D  a  beg(Status  =  1)] 

3  [fin(Status  =  1)  a 
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Definition  of  Steady: 

Whenever  the  signal  Status  equals  1,  the  outputs  Q  and  are  complements 
of  each  other.  If  E  is  disabled,  it  blocks  the  status  flag  and  outputs.  When  E  is 
enabled,  the  flag  and  outputs  are  blocked  by  E  and  the  incoming  data  signal  D. 

Steady(L )  =dcf 

beg(Status  =  1) 

=>  [beg(Q  =  "’<2)  A  V  blk  Status  a  V  blklat  {Q.'Q)} 
where  V  is  a  function  of  the  enable  signal’s  initial  value: 


E 

V 

0 

(E) 

1 

( B,D ) 

Building  a  D- latch 

A  D-latch  can  be  implemented  by  connecting  a  suitable  combinational  interface 
to  the  inputs  of  an  SR-latch.  The  interface  has  inputs  E  and  D  and  outputs  S  and 
R  with  stable-state  behavior  given  by  the  following  table: 


When  the  interface  is  enabled  with  E  at  1,  the  data  signal  D  controls  S  and  R 
for  clearing  or  setting.  If  E  is  0,  both  5  and  R  are  deactivated.  The  interface  has 
the  following  description: 

Definition  of  DLInterfaee: 

DLInterface(A )  =d«r 

DLInterfaceStructure{A) 
a  S  Store(A) 

A  S  Disable(A) 
a  IS  Steady[A) 
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Definition  of  DLInterfaceStrueture: 


DLInterfaceStructure(A)  =dof 


A:  struct[ 

{E,  D):  Bit 
(5,  R):  Bit 
Status:  Bit 
( prd ,  lot ):  time 


%Inputs 

^Outputs 

^Internal 

^Parameters 


] 


Definition  of  Store: 

When  the  device  is  enabled,  the  outputs  eventually  reflect  D  and  its  comple¬ 
ment.  This  is  done  so  that  any  connected  SR-latch  will  be  actively  set  to  D' s  value. 
Store  (A)  =dof 

[£«1  a  etb  D  a  ( len  ei  prd)] 

o  fin[(Status  =  1)  a  (S  =  D)  a  (R  =  -,D)] 


Definition  of  Disable: 

When  the  interface  is  disabled,  both  outputs  smoothly  change  to  0  so  that  any 
connected  SR-latch  retains  its  value. 

Disable(A)  =d«r 

[| **rdE  A  stbD  A  beg(  Status  =  1)] 

3  (/in(5tafi«  =  1  a  S  =  0  a  Jl  =  0)  a  sm(S,  J2)] 


Definition  of  Steady: 

When  the  device  is  steady,  the  status  bit  and  outputs  are  blocked  by  the 
appropriate  inputs: 

Steady(A)  s<j«r 

beg{Status  =  1)  ?  (V  blk  Status  a  V  blkM  ( S,R }) 
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where  V  is  baaed  on  the  initial  value  of  Ex 


E 

V 

0 

1 

( B.D ) 

Combining  the  interface  with  SR- latch 

The  following  predicate  shows  how  to  connect  the  interface’s  outputs  to  the 
inputs  of  an  SR- latch: 

DLatekImplementation(A,  L)  =d«( 

DLInterfaee(A )  a  SRLatch(L) 

a  ( A.S  L.S)  a  ( A.R  »  L.R) 

The  next  property  states  that  this  implementation  results  in  a  D-latch: 

H  DLatckImplementation(A,  L)  O  DLatch(M) 


where 


M.E 

sy 

A.E 

M.D 

sy 

A.D 

M.Q 

LQ 

M.~Q 

ft* 

L H 

M.  Status 

ft* 

A. Status  a  L. Status 

M.lat 

as 

A.lat  +  L.lat 

M.prd 

= 

A.prd  +  L.prd 

The  interface  itself  can  be  built  from  combinational  gates  based  on  the  steady- 
state  formula 

S=*(EaD)  a  R»(Ea-Z>). 


We  omit  the  details. 
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Introducing  a  hold  time 


In  practice,  a  D-latch’s  data  input  need  not  be  held  stable  during  the  entire 
period  when  the  D-latch  is  disabled  and  the  enable  signal  drops.  This  can  be  for* 
malized  by  adding  a  hold-time  parameter  hid  and  redefining  Disable  to  incorporate 
it: 


Disable(L)  =def 

[j0,Pr<*E  A  E  blkMd  D  a  beg(Status  =  1)] 
3  [/m(5iaius  =  1)  a  stb(Q,  £)] 
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FLIP-FLOPS 


$8.1  Simple  D-Flip-Flop 


The  simple  D-flip-fiop  described  here  has  as  inputs  a  clock  and  a  data  signal. 
The  overall  structure  is  given  by  the  following  diagram: 


Ck:  Bit-* 
D:  Bit-* 


Q  :  Bit 


:  Bit 


(cl,  c2,  c3,  hid,  lot):  time 


If  we  ignore  the  clock  input  Ck  and  assume  unit  delay,  the  flip-flop  behavior 
can  be  described  by  the  formula 

[DdelQ]  a  [(-'D)  del~Q] 

The  predicate  SimpUDFlipFlop  given  below  takes  a  more  detailed  look  at  docking 
and  propagation. 
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Definition  of  SimpleDFlipFlop: 

SimpleDFlipFlop(F)  =d«f 
SimpleDFFStrueture{F) 
a  0  Store(F,  i),  for  *  €  {0, 1} 

Definition  of  SimplcDFFStructure: 

SimpleDFFStmcture[F)  =jef 
F:  atruct[ 

(  Ck,  D):  Bit  %Inputs 

[Q,  Bit  %Outputs 

(el,  c2,  c3,  hid,  lot):  time  ^Parameters 

] 

Definition  of  Store: 

The  predicate  Store  shows  how  to  store  a  value  in  the  flip-flop: 

Store(F,i) 

[Uel’ea*<3C)fc  A  Ck  blk M  D  a  beg{D  =  *)] 

~*>[beg{Q  »  »  A  V  —  -»)  a  Ck  blkUt 

The  flip-flop  specification  can  be  generalised  into  a  multi-bit  remoter  by  rep¬ 
resenting  the  input  data  and  the  output  as  vectors  of  the  appropriate  W>«gtl»-  If 
still  more  detail  is  desired,  such  a  register  can  be  viewed  as  a  collection  of  one-bit 
flip-flops,  each  with  its  own  status  bit.  Incidentally,  it  is  easy  to  connect,  say,  the 
output  of  one  device  to  the  clack  input  of  another.  Here  is  an  example: 

SimpUFlipFlop(F)  a  SimpleFlipFlop(G)  a  {F.Q  **  C.Ck) 
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$8.2  A  Flip-Flop  with  More  Timing  Information 

The  predicate  DFlipFlop  presented  below  includes  additional  timing  details. 
When  the  clock  signal  rises,  the  current  value  of  the  data  line  is  stored  in  the  device. 
Falling  clock  edges  leave  the  stored  value  unchanged.  This  description  also  takes 
a  more  precise  look  at  the  process  of  setting  up  the  input  data  prior  to  triggering. 
When  the  internal  flag  Status  equals  1,  as  long  as  the  clock  is  stable,  the  output  bit 
Q  remains  stable  and  is  also  available  in  complemented  form  as  1$. 

Definition  of  DFlipFlop: 

Here  is  the  main  predicate: 

DFlipFlop(F)  ==d., 

DFlipFlopStrvcture(F) 
a  0  Store(F) 

A  0  Nontrig(F) 
a  0  Steady(F) 

Definition  of  DFlipFlopStrvcture : 


DFlipFlopStmcture(F) 

F:  struct[ 

(Ck,D):Bit 
(Q,V):Bit 
Statue:  Bit 

( stp ,  prd,  hid,  lat):  time 

] 


%Inputs 
^Outputs 
^Internal 
%  Parameters 


Definition  of  Store: 

The  predicate  Store  shows  how  the  clock  trigger s  the  flip-flop  to  accept  a  new 
value.  The  data  must  not  change  until  after  the  clock  goes  high.  Before  the  actual 
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triggering,  the  dock  and  data  are  set  up  by  being  initially  stable  for  at  least  »tp 
units  of  time.  The  actual  docking  is  given  by  the  predicate  Trigger. 

Store(F) 

( atb(Ck,D )  a  [len  £  etp])^  Trigger(F) 

If  desired,  we  can  have  separate  set-up  times  for  the  clock  and  data  inputs.  For 
example,  the  value  atp.Ck  can  give  the  time  required  to  set  up  the  clock.  The 
following  formula  demonstrates  one  way  to  do  this: 

(tstb*tp  Ck  Ck  a  tstb*tv  D  D)  Trigger(F) 

Incidentally,  an  externally  equivalent  D-flip-flop  specification  can  be  given  that 
indudes  an  additional  internal  field  SetupStotua  equaling  1  whenever  the  inputs 
have  been  set  up. 

Definition  of  Trigger; 

After  the  clock  rises  and  triggers  the  device,  the  data  input  D  must  remain 
stable  for  at  least  the  hold  time  specified  by  the  parameter  hid.  If  this  condition 
is  fulfilled,  the  device  ends  up  steady  with  Statue  equaling  1  and  Q  receiving  D's 
initial  value. 

Trigger(F)  sd«f 

(T^Cfc  a  Ck  bUshU  D)  o  [fin(Statue  *  1)  a  (2>  Q)] 


Definition  of  Nontrig: 


If  the  dock  has  a  falling  or  non-triggering  edge  and  the  device  is  initially  steady 
then  the  device  remains  steady  and  outputs  are  stable. 


Nontrig{F)  m** 

[i^dCk  a  beg{Statua  -  1)] 

3  [fin(StahMe»l)  A  ***{<?•  3)} 
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Definition  of  Steady: 

Whenever  the  status  bit  equals  1,  it  and  the  outputs  remain  stable  as  long  as 
the  clock  does,  independent  of  the  behavior  of  the  data  input.  The  outputs  are 
complements. 

Steady[F)  =dcf 

beg(Statua  =  1) 

3  [beg(Q  =  -Q)  a  Ck  blk  Status  a  Ck  blklat  (Q,  ^)] 

If  desired,  the  latency  factor  can  be  a  function  of  the  initial  value  of  the  clock  or 
even  the  currently  stored  value. 

Comparison  of  the  predicates  SimpleDFlipFlop  and  DFlipFlop 

The  next  property  shows  how  to  reduce  the  predicate  DFlipFlop  to  the  predi¬ 
cate  SimpleDFlipFlop  presented  earlier: 

►  DFlipFlop(F)  O  SimpleDFlipflop{G) 

where  G  is  constructed  from  F  as  follows: 


G[field\ 

J5S 

F\field],  for  field  €  '{Ck,  D,  Q,  $} 

G.cl 

= 

F.atp 

G.c2 

= 

F.prd 

G.  c3 

= 

F.prd 

G.hld 

= 

F.hld 

G.lat 

— 

Flat 

Simplifying  the  predicate  Store  in  DFlipFlop 

By  merging  the  processes  for  setting  up  and  triggering  the  flip-flop,  we  can 
eliminate  the  predicate  Trigger  and  define  Store  as  follows: 

A  a  blkUd  -j  yjn(5tohM  =  i)  A  {D  -*  <?)] 

Here  the  clock  input  is  set  up  at  least  ftp  units  of  time.  Because  the  clock  blocks 
the  data  input  D,  D  is  also  set  up. 
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$8.3  Implementation  of  D-Flip-Flip 

A  D-flip-flop  can  be  constructed  out  of  two  components  in  a  manner  similar  to 
building  a  D- latch.  The  first  component,  known  as  the  master  latch,  serves  as  an 
interface  between  the  clock  and  data  inputs  on  one  hand  and  the  second  component, 
the  slave  latch,  on  the  other.  The  slave  provides  the  flip-flop’s  outputs.  There  are 
four  key  time  periods  in  the  overall  flip-flop  operation:  clock  is  0,  clock  rises  from 
0  to  1,  clock  is  1,  and  clock  drops  from  1  to  0: 

•  When  the  clock  is  0,  the  master  latch  disables  the  slave,  which  maintains  whatever 
value  was  previously  stored.  At  this  time,  the  clock  and  data  inputs  can  be  set 
up  for  clocking  in  a  new  bit. 

•  Upon  the  clock  transition  from  0  to  1,  the  master  latch  itself  stores  the  incoming 
data  signal  and  actively  propagates  it  to  the  slave.  The  slave  in  turn  adjusts  the 
outputs  to  reflect  the  new  data. 

•  As  long  as  the  clock  remains  at  1,  the  master  continues  to  transmit  the  stored 
value  to  the  slave. 

•  When  the  clock  drops  from  1  to  0,  the  master  disables  the  slave,  leaving  the 
stored  value  undisturbed.  At  this  point,  the  cycle  of  clocking  can  be  repeated. 

Specification  of  the  master  latch 

The  master  latch  has  the  following  structure: 


Ck  :  Bit 


D:  Bit 


S :  Bit 


R:  Bit 


(stp,  hid,  ftd,  lat)i  time 


■  'L  **  \ 
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The  timing  parameters  have  the  same  form  as  in  the  flip-flop  description  since 
the  master  device  has  the  clock  and  data  signals  as  inputs. 

Master(M)  =d«f 

MasterS  tructure{M) 

A  0  Store(M) 

A  0  Nontrig(Af) 
a  0  Steady  (M) 

Definition  of  Master  Structure: 

MasterStructure(M)  =def 

M:  struct^ 

( Ck,  D):  Bit 
(S,  R):  Bit 
Status :  Bit 

( stp ,  hid,  prd,  lat ):  time 

] 

Definition  of  Store: 

The  data  value  present  -when  the  clock  rises  determines  the  S  and  R  outputs. 
Store(M)  =def 

( stb(Ck,D )  a  ien  >  stp)<-*»  Trigger[M) 

where  the  predicate  Trigger  is  defined  as  follows: 

Trigger(M)  asdef 

(t0*1 niCk  a  Ck  hlkMd  D) 

3  [fin(Status  *  l)  a  {D  •—*  5)  a  (^D  -*■  -R)] 


%  Inputs 
%Outputs 
%  Internal 
%Parameters 
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1 


I 


Definition  of  Nontrig: 

If  the  master  latch  is  initially  steady,  then  after  the  clock  drops,  both  S  and 
R  become  smoothly  disabled  at  0. 

Nontrig(M)  =def 

[\0'pr4Ck  A  bcg(Statua  =  1)] 

D  [/in([S  =  0]  a  [R  =  0]  a  [Status  =  lj)  a  sm(S,  i?)] 


Definition  of  Steady: 

When  the  master  latch  is  steady,  the  status  flag  and  the  outputs  are  blocked 
by  the  clock. 

Steady(M)  =def 

beg(Status  =  1)  3  [Ck  blk  Status  a  Ck  blklat  (S,R)] 


i 


1 


Combining  the  latches 

The  next  predicate  shows  how  the  master  and  slave  latches  are  combined  to 
implement  a  D-flip-flop.  We  use  an  SR-latch  as  the  slave. 

DFFImplementation(M ,  L)  =def 
Master(M)  a  SRLatch(L) 

a  (MS  L.S )  a  (M.R  sa  L.R) 

The  mapping  from  the  latches  to  the  flip-flop  takes  the  following  form: 

N  DFFImplementation(M ,  L)  3  DFlipFlop(F) 

where  the  tuple  F  is  constructed  as  follows: 

F.Ck  »  M.Ck 

F.D  «  M.D 
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F.3 

L.S 

F.R 

M 

LJt 

F.  Status 

« 

(M. Status  a  L. Status) 

F.stp 

A f.stp 

F.prd 

L.prd  +  M.prd 

F.hld 

* 

M.hld 

F.lat 

as 

L.lat  4-  M.lat 

$8.4  D-Flip-Flops  with  Asynchronous  Initialization  Signals 


Integrated  circuit*  such  aa  the  TTL  7474  chip  [48]  contain  D-flip-flope  with 
extra  inputs  for  initialisation.  Since  these  pins  are  used  more  or  less  independently 
of  the  clock,  they  are  called  asynchronous.  The  device  considered  here  has  a  single 
asynchronous  input  Clr: 


Ck:  Bit- 
D:  Bit- 
dr:  Bit- 


Status:  Bit 


\-+Q  :  Bit 
► \ Bit 


tip,  prd,  hid,  lot 


Definition  of  AsynchDFlipFlop: 

The  specification  has  predicates  for  operating  the  clock  and  dear  signals: 

AsynchDFlipFlop(F) 

AsynchDFFStructure(F) 
a  Q  Usedock(F) 
a  13  UseClear[F) 
a  IS  Steady(F) 
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Definition  of  AaynehDFFStruetwe: 

AaynchDFFStructure(F)  Sd«r 
F:  struct [ 

(Ck,D,  Clr):  Bit  %  Inputs 

{Q,  IS):  Bit  %Outputa 

Status:  Bit  ^Internal 

(stp,  prd,  hid,  lot ):  time  ^Parameters 

] 

Definition  of  UeeCloek: 

Daring  periods  when  the  inpat  Clr  equals  0,  the  device  acts  according  to  the 
earlier  specification  DFlipFlop: 

UaeClock(F )  =M 

[Clr  «  0)  D  DFlipFlop{G ) 

where  G  contains  exactly  the  following  fields  of  F: 

Ck,  D,  Q,  J2,  Status,  stp,  prd,  hid,  lot 

Definition  of  Use  Clear: 

When  the  clock  is  stable,  the  inpat  Clr  can  be  used  to  initialise  the  flip-flop: 
Uaedear[F)  as 

atb  Ck  3  (CTear(F)  a  Di«aWe(F)] 

Definition  of  Clear: 

If  the  input  Clr  equals  1  long  enough,  the  output  Q  is  seroed  and  the  device 
becomes  steady: 

Clear(F)  mM 

( Clr  «  1  a  len  £  prd)  2  fin[(Statua  ■!)  a  (Q« 0)] 
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Definition  of  Dieaklt: 

When  the  device  ie  eteady  tad  (he  input  dr  drupe  to  0,  the  device  remahne 
eteadj: 

Dieable(F) 

[l°'^4Clr  a  beg(Statue  —  1)]  3  fin[(Statue  ■!)  a 


Definition  of  Steady: 

When  the  flip-flop  if  steady,  the  inpute  Ck  end  Clr  together  block  the  Mgnelf 
Statue,  Q  and  ~Q: 

Steady(F)  m&t 

beg(Statu*  *=  1)  3  [beg(Q  *  ~iQ)  a  {Ck,  dr)  klk  (Statue,  Q,~Q)\ 


Chapter  o 


MORE  DIGITAL  DEVICES 


We  now  consider  techniques  for  describing  and  reasoning  ^>out  multiplexers, 
random-access  memories,  counters  and  shift  registers. 

§9.1  Multiplexer 

A  multiplexer  has  a  number  of  addressible  inputs  and  can  selectively  output 
any  one  of  them.  The  device  considered  below  can  be  optionally  disabled,  in  which 
case  it  outputs  a  sero.  The  general  structure  is  as  follows: 


The  device  operates  roughly  according  the  table  below: 


operation 

E 

Out 

select 

1 

h[toe\ 

disable 

0 

0 
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where  lo c  »  nval(Addr).  If  we  ignore  propagation  delay,  the  multiplexer  behaves 
according  to  the  formula 

Out  *=»  {if  [E  =  1]  then  In[nval(Addr)]  else  0) 

During  periods  when  the  device  is  enabled  with  E  =  1,  the  formula  reduces  to 

Out  In[nval{Addr)\ 


Definition  of  Multiplexer : 

The  multiplexer's  main  predicate  is  as  follows: 
Multiplezer(X)  s«j«r 

MultiplexerStructure[X) 
a  B  Select(X,  loe),  for  loe  €  [0,  n  —  1] 
A  0  Diaable(X) 


Definition  of  Multiplexer  Structure: 

The  device  has  an  n-bit  vector  Addr  for  selecting  one  of  2n  possible  incoming 
bits  of  the  vector  In. 

MultiplexerStrueture(X)  sdaf 
X:  *tnict[ 

Addr :  Bit",  In:  Bit^\  E:  Bit  ^Inputs 

Out:  Bit  ^Outputs 

n:  not,  ( prd ,  lat ):  time  ^Parameters 

J 


Definition  of  Select: 

V  the  enable  signal  E  is  held  at  1  and  the  address  line  and  Ha  essociatsd  input 
ars  stable,  the  output  ends  up  equal  to  the  input  line  indicated  by  the  static  variable 
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loe. 


Select(X,  loe )  9E<]«f 

([E  1]  a  etb  In[loe]  a  [nval(Addr)  sa  loe]  a  fen  ^  prd) 

*  /n(/oc])  a  ( E,Addr,  In[loc ])  MJfc1**  Gut] 


Definition  of  Ditable: 

Holding  the  signal  E  at  0  dean  the  output. 

Di»able(X)  —d*t 

(B«0  a  Im2  prd)  <>►  [6eg(Gttt  =  0)  a  £  Out] 


Alternative  specifications 

Like  the  adder  discussed  earlier,  the  predicate  Multiplexer  can  be  equivalently 
specified  -with  an  internal  status  bit  and  predicate  Steady. 

The  timing  parameters  could  be  made  more  detailed  so  that,  for  example,  the 
parameter  telect.prd  would  give  the  propagation  time  when  using  the  predicate 
Select. 


$9.2  Memory 


The  memory  described  here  has  the  following  form 


Addr:  Bitn 
Data:  Bit 
E:  Bit 


5toriw[0]:  Bit 
Stotm«[2n  —  1]:  Bit 


n :  nat, 


Out(0):  Bit 
0*t[2n  - 1):  Bit 


(prd,  tip,  lot):  time 

There  is  a  series  of  cells,  each  associated  with  status  and  output  bits.  At  any  time, 
at  most  one  cell  can  be  selected  and  modified.  During  this  psriod  the  rsmalning 
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edit  are  left  untouched.  When  the  enable  signal  is  inacthre  at  0,  no  cell  can  bo 
altered. 

If  we  assume  unit  delay,  the  memory  behaves  as  follows: 

[1/  (E  —  1)  then  alter(Out,  nval(Addr),  Data)  elte  Out]  del  Out 

where  the  function  alter  (Out,  i,  a)  equals  a  vector  whose  t-th  element  equals  a  and 
whose  remaining  elements  equal  those  in  Out.  The  behavior  can  also  be  expressed 
using  iteration  and  an  in-place  variant  of  alter: 

(•kip  a  [*/  (E  as  1)  then  Alter(  Out,  nval(Addr),  D)  elee  ($tb  Out)])* 

where  Alter(Out,i,a)  sets  the  t-th  element  of  Out  to  a  and  leaves  the  others 
unchanged: 

Alter(Out,i,a)  Sd«r  («/ter( Out, t, a)  -*■  Out] 

In  practice,  a  memory  has  a  multiplexer  connected  to  the  outputs  so  that  at 
any  time  at  most  a  single  cell  can  be  read.  This  technique  permits  one  cell  to  be 
written  while  another  is  being  retrieved.  We  do  not  include  such  multiplexers  here. 

Definition  of  Memory: 


Memory(M) 

MemoryStrueture(M) 

a  Sloe  €  (0, 2**  —  lj. 

ES  BnaUe(M,  toe ) 
a  O  Write(M,  toe) 

a  B  Dieakle(M,  loe,  mode),  fat  mode  €  ’{selected,  noLeeieeted) 
a  EB  Stead y(M,  loe,  mode), 

for  mode  €  ’{dwelled,  selected,  aot.estecfsd} 
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Definition  of  MemorpStrue  ture : 

MemoryStructure{  M)  sa<i«f 
M:  #ir«et[ 

Addr:  Bitn,  Data:  Bit,  E:  Bit 
Out :  2K<*a"* 

Status:  Bit{Vk) 
n:  nat,  ( prd ,  stp,  tat):  time 

] 

Definition  of  Enable: 

When  the  memory  becomes  enabled  with  E  rising  from  0  to  1  and  a  cell  does 
not  have  the  address  selected  by  Addr,  the  cell’s  output  remains  stable. 

Enable[M,  toe) 

(t •*r>pr*E  a  stbAddr  a  beg[nval(Addr)  ^  toe  a  St  ate*  [toe]  «■  1]) 
O  /in[(  Statue  [foe]  =  1)  A  st6  Out  [toe]] 

Definition  of  Write: 

When  the  device  is  enabled,  the  cell  addressed  by  Addr  can  be  written  with 
the  value  of  the  data  input. 

Write(Af,  loe)  mM 

(ten  i  prd  a  [£«1|  a  etb  Data  a  nvat(Addr)  me  loe) 

3  fin[(  Statue  [foe]  »  1)  a  (Oat  [toe]  ■»  Date)] 

Definition  of  Dieable: 

Disabling  the  memory  does  sot  affect  a  steady  cell’s  output,  If  the  call  is 
currently  addressed,  both  Addr  and  Date  must  remain  stable  until  alter  B  drops. 


%Inputs 
%  Outputs 
%  Internal 
^Parameters 
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Otherwise  only  Addr  need  hold.  The  predicate  cheek,  defined  below,  ensures  that 
the  particular  location  is  in  the  indicated  mode. 

Disable(M,  loc,  mode)  =d»r 

(|0,p A  ttb  U  a  beg[check(M,  loc,  mode)  a  (5tatas(ioc]  =  1)]) 
3  [/m(Sfafua[/oe]  =  1)  a  stb  Out[loc]] 

where  U  is  as  follows: 


mode 

U 

selected 

{Addr,  Data) 

noLselected 

{Addr) 

Definition  of  Steady: 

Steady  (M,  loc,  mode)  =dmf 

6e?[(&aiiM[/oc]  =  1)  a  check{M,  loc,  mode)] 

3  (V  blk  Statu,[loc]  A  V  blklat  Ovt[loc]) 

where  the  table  below  gives  V  as  a  function  of  the  indicated  mode: 


mode 

V 

disabled 

(E) 

selected 

{E,  Addr,  Data) 

notselected 

{E.Addr) 

If  a  cell  is  steady,  its  output  is  blocked  by  the  signal  E  and  other  appropriate  inputs 
based  on  whether  the  device  is  enabled  and  whether  the  cell  is  the  one  selected.  If 
the  entire  memory  is  disabled,  only  E  blocks  the  cells.  If  the  memory  is  m»«1>M  and 
the  particular  cell  is  the  one  telected,  the  cell’s  output  is  blocked  by  the  inputs  E, 
Addr  and  Data.  If  however  the  cell  is  currently  not  selected,  it  is  blocked  only  by  E 
and  Addr.  This  is  summarised  in  the  table  shown  after  the  definition  of  Steady.  The 
predicate  check,  defined  below,  makes  certain  that  the  particular  memory  location 
is  indeed  in  the  choeen  mode  of  operation. 

Definition  of  cheek: 

The  predicate  check  verifies  that  the  given  location  is  in  the  specified  mode  of 
operation: 
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rr* 


-  .  i'iSfcSy 


aslsctsd 

noLssUeted 


cksck(M£,  loe,  mods) 

£-6 

(£  - 1)  a  (**ol(dddr)-loej 
(B*m  1)  a  (»vo/(.dddr)  yd  ioe] 


|9.3  Counters 


We  can  model  a  simple  counter  by  means  of  addition  and  unit-delay: 

(I  +  1)  del  I 

The  next  formula  shows  a  way  to  handle  initialisation: 

[tf(Or-l)ths«0d*«(/+l)]dslJ 

IF  it  is  only  necessary  that  the  counter  is  initially  equal  to  0,  the  formula  below 


6 erf/-0)  a  KJ+l)de/  Jj 

The  following  example  takes  finite  precision  into  account: 

[(/+!) mod 2*]  del  I 

Clocked  counter 

A  docked  counter  stores  a  number  that  can  by  incremented  by  1 
base  when  the  device  is  triggered.  Here  is  the  physical  structure: 

Ck:  Bit-* 

dr:  Bit-*  Status:  Bit  ■%0ut:  Bitn  . 


n,  el,  dt,  eS 


umbers  0  to  3*- 1.  Not  aO  counters  are  binary,  far  example,  a  dscude  ora 
1 4*btt  output  and  cycles  through  the  numbers  0  to  9.  The  values  10  to  IS 
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Definition  of  Counter: 

The  predicate!  Clear  and  Increment  specify  how  to  clear  and  increment  the 
counter’!  output. 

Counter(C)  =der 

CounterStructure(C) 
a  IS  Clear(C) 
a  0  Increment(C) 

A  0  Steady(C) 

Definition  of  Counter  Structure: 

The  device’s  structure  is  given  below.  The  internal  bit  signal  Statue  indicates 
when  the  device  is  in  a  steady  state, 

CounterStructure(C)  =d«r 

C :  struct  [ 

(  Ck ,  Clr ):  Bit 
Out:  Bitn 
Statue :  Bit 

n:  nat,(cl,  c2,  c 3):  time 

1 

Definition  of  Clear: 

When  the  clock  has  a  positive  pulse  and  the  input  Clr  equals  1,  the  device  is 
cleared  and  ends  up  steady  with  Statue  equaling  1: 

CUar(C)  bm 

a  beg{Gr  *  1)  a  Ckblk  Ch) 

3  fin[nval(Out)  "0  a  Statue  » 1] 


%Inputs 
%  Outputs 
%  In  tern  si 
^Parameters 
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Definition  of  Increment: 

If  the  device  ia  initially  steady  and  the  clock  is  pulsed  and  Clr  equals  0,  then 
the  output  vector’s  numerical  value  is  incremented  by  1  modulo  2n.  The  device 
ends  up  steady. 

Increment{C)  =daf 

[ti*i,c2,e3  Ck  A  beg(Statue  =  1  a  Clr  =  0)  a  Ck  blk  Clr] 

3  ((nvo/(Ovt)  +  1]  mod  2n  — ►  nval(Out)  a  ./infStattia  =  l}) 


Definition  of  Steady: 

When  the  bit  signal  Statue  equals  1,  the  clock  input  blocks  both  Statue  and 
Out.  The  blocking  factor  lat  is  associated  with  Out. 

Steady[C)  =d.f 

beg(Statue  =  1)  3  [Ck  blk  Statue  a  Ck  blklat  Out\ 

§9.4  Shift  Register 

A  shift  register  stores  a  bit  vector  that  can  be  selectively  initialised,  shifted  or 
left  untouched.  Some  shift  registers  are  bidirectional  or  can  shift  more  than  one 
place  in  a  single  operation.  Others  recirculate  the  bits  or  have  special  provisions 
for  signed  arithmetic.  The  output  of  a  shift  register  may  reflect  the  entire  state  or 
only  part  of  it. 

The  TTL  device  discussed  here  stores  n  bits  that,  when  triggered,  can  be 
cleared,  loaded  with  some  data,  shifted  right  by  one  place  or  maintained  unchanged. 
The  general  form  is  given  below.  We  omit  the  timing  parameters  from  the  diagram. 
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The  register  has  a  capacity  at  n  bite  that  are  output  by  the  vector  Q.  The 
leaet  significant  bit  G(n  —  1]  i*  also  output  in  complemented  form  by  QUb.  When 
clocking  takee  place,  the  fields  Clr,  Sh  and  Ld  determine  which  operation  occurs. 
The  following  table  describes  the  general  behavior  upon  clocking: 


operation 

Clr 

Sh 

Ld 

Q 

clear 

1 

- 

- 

(or 

shift 

0 

1 

- 

(Se)  ||  Q[0ton  —  2] 

load 

0 

0 

1 

D 

nop 

0 

0 

0 

Q 

The  expression  (0)"  stands  for  a  list  of  n  0’s.  Depending  on  the  operation,  only 
certain  inputs  are  needed.  For  example,  when  Clr  is  0,  Sh  is  1  and  and  a  shift  is  to 
take  place,  the  device  ignores  the  inputs  Ld  and  D. 

Definition  of  ShiftRegieter: 

As  with  the  counter  described  earlier,  the  shift  register  specification  has  predi¬ 
cates  for  clocking  and  steadiness. 

ShiftRegister(H)  =j«f 
ShiftRegStructure(H) 

a  B  Trigger[H,  op),  for  op  6  ’{clear,  thift,  load,  nop} 
a  S  Nontrig(H) 

A  B  Steady(H) 
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Definition  of  ShiftRegStruetw: 


ShiftRegStrueture(H)  mdtt 
H:  «trvet[ 

(Ck,  dr,  Sh,  Ld,  Se):  Bit,  D:  Bitn 
Q:Bitn,  Bit 
Statue:  Bit 
n:  positive, 

(lot,  prd):  time, 

tip:  (Ck,  Clr,  Sh,  Ld,  Se,  D,  Q):  time, 
hid:  (Clr,  Sh,  Ld,  Se,  D,  Q):  time 

] 

The  register’s  length  n  must  be  at  least  1. 

Definition  of  Steadg : 

When  the  status  bit  equals  1,  the  output  Qleb  equals  the  complement  of  Q's 
least  significant  bit  Q[n  —  1]. 

Steadg(H)  asdmt 
be  g(  Status  ■  1) 

o  [feflQb*  —  -G(n  - 1]) 

a  CkbUt  Status  a  Ck  hlk™  (Q,'QlsS)\ 


%  Inputs 
%Outputs 
^Internal 
^Parameters 


Definition  of  Trigger: 

The  value  of  op  determines  the  particular  operation  to  be  undertaken.  For 
example,  the  field  name  ’  load  is  used  as  a  parameter  to  Trigger  for  performing  a 
load  operation. 

Trigger (H,  op)  moot 

SetUp(H,  op)  Compute(H,  op) 


* 
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Definition  of  Setlfp: 

The  predicate  SetUp  ensures  that  the  appropriate  input  signals  hare  the  proper 
values  sad  are  stable  bag  enough  prior  to  the  actual  operation.  The  predicates 
cheek  and  inpaet  used  here  are  defined  later. 

SetUp(H,  op)  =<jef 

fin[eheek(H,  op)] 

A  Vfield  €  [inpeet(op)  u  {*  Clfc)].  (tetb'W*14*  H [field ]) 

Definition  of  Compute: 

The  text  of  Compute  overviews  the  clocking  involved  in  performing  an  opera¬ 
tion.  The  predicates  Hold  describes  how  inputs  must  be  held  as  the  clock  rises.  The 
function  result  indicates  the  new  value  of  the  output  Q. 

Compvte(H,  op)  SEj.f 

[t 0'***Ck  a  Hold(H,op)) 

D  (^n (Status  ■■  1]  a  (result(H,  op)  -*  Q]) 

After  clocking,  the  status  bit  ends  up  equal  to  1  and  the  output  vector  Q  receives 
the  selected  function  of  the  inputs. 


Definition  of  cheek: 


The  predicate  check  gives  the  values  of  the  control  bits  Clr,  Sh  and  Ld  necessary 
for  the  desired  operation. 

op  |  check[H,  op) 


clear  Clr  ■»  1 

ehift  [Clr  =  0)  a  {Sh  =*  1) 

load  (Clr  -  0)  a  ( Sh  =»  0)  a  {Ld  —  1) 

nop  ( Clr  **  0)  a  (Sh  *  0)  a  (Ld  —  0) 


Definition  of  inpeet: 

The  function  mpset  specifies  the  set  of  inputs  needed  in  performing  the  par¬ 
ticular  operation.  For  example,  during  shifting,  the  Ld  control  signal  is  ignored  and 
is  therefore  not  fisted. 


*j-  V./rf  \ 


.  -V,  «•  *  v 
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* 

mpsst(ep) 

clear 

•{Or} 

shift 

load 

'{ar,Sh,U,D} 

nop 

'{Ctr,Sh,U,Q) 

Definition  of  Hold: 

Each  operation’s  required  input  signals  must  be  held  stable  beyond  the  clock 
transition  for  the  time  given  in  the  corresponding  subfield  of  hid. 

Hold(H,  op) 

Y field  €  inpaet(op).  ( Ck  Ukhu[,uu*  H\field\) 


Definition  of  result: 

For  each  of  the  three  clocked  operations,  the  function  result  specifies  the  output 
Q’a  new  value. 


op 

result(H,  op) 

clear 

(or 

shift 

(Se)  ||  Q[0ton-2j 

load 

D 

nop 

Q 

Definition  of  Nontrig: 

U  the  counter  is  steady,  a  falling  clock  edge  preserves  the  status  bit  and  leaves 
the  outputs  Q  and  QUb  stable. 

Nontrig(H) 

[lQ,prdCk  a  beg(Statua  —  1)]  d  [fin(Statua  =  1)  a  stb(Q,  (Jlsi)] 


Variant  specifications 

A  more  detailed  description  can  be  given  with  separate  timing  information  for 
the  operations  clear,  shift,  load  and  nop.  In  addition,  the  times  for  rising  sad 
falling  dock  edges  need  not  be  the  same. 
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Alternatively,  we  can  combine  the  control  inpnte  into  a  signal  called  Op  and 
ignore  the  details  of  clocking.  The  signal  Op  ranges  over  the  valnee  ’clear,  ’ehift, 
’ load  and  'nop.  The  next  formula  describes  the  corresponding  behavior  using  unit 
delay  sad  a  case  construct: 


ease  Op  of  \ 

clear:  (0)* 

shift:  (Se)  ||  Q[0  to  n  —  2] 
load:  D 


del  Q 


\  nop:  Q 


J 


The  case  expression  uses  as  its  value  the  entry  selected  by  Op.  For  example,  when 
Op  equals  'load,  the  case  expression  equals  D.  The  expression  (0)n  equals  an  tv- 
element  list  of  0’s. 


Combining  shift  registers 


Two  shift  registers  can  be  connected  to  form  a  larger  one.  The  following 
property  reflects  this  with  the  shift  register  H  containing  the  most  significant  bits 
and  I  containing  the  least  significant  bits: 

[ShiftRegieter(H)  a  ShiftRegieter{I) 

a  (H.Ck*z  I.Ck)  a  (. H.Clr  «  I.Clr)  a  {H.Sh  «  I.Sh) 
a  ( H.Ld  m  I.Ld)  a  ( H.Q[n  -  1]  sa  I.Se)  a  {H.lat  Lhid.Se)] 
o  ShiftRegister(J) 

where 


J[field] 

[field],  tor  field  €  ’{  Ck,  Clr ,  Sh,  Ld } 

J.D 

<=a 

H.D  ||  I.D 

J.Se 

sa 

H.Se 

JQ 

B3 

H.Q\\I.Q 

J.  Statue 

w 

H.Statue  a  I. Statue 

J.n 

ff.n  +  I.n 
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J.prd  mm  mja{H.prd,  I.prd) 

J.$tp\field]  “  m*x(H. »tp\field],  I.$tp\fitld\),  for  field  6  ’{ Ck,  Clr,  Sh ,  Ld,  D) 

J.ttp.Se  ™  H.atp.Se 

J.ttp. Q  mm  maxflf.etp. Q,  I.stp.Q,  Latp.Se ) 

J.hld[field]  =  ma x(H.hld\field\,  I.hld\field\),  for  field  £  ’{  Clr,  Sh,  Ld,  D} 

J.hldSe  mm  H.  hid.  Sc 

J.hld.Q  mm  max(H.hld.Q,  I.hld.Q,  lhld.Se) 

J.lat  ma  min  (H.lat,I.lat) 

An  abbreviated  form  of  this  property  can  be  expressed  for  combining  two  unit-delay 
shift  registers. 
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MULTIPLICATION  CIRCUIT 


The  hardware  multiplier  considered  here  is  motivated  by  one  discussed  in 
Wagner’s  work  on  hardware  verification  [40].  The  desired  device  behavior  is  first 
described  followed  by  a  look  at  implementation  techniques.  The  multiplier  has  the 
following  general  structure: 


(n,  count):  not, 

(el,  c2 ,  e 3):  time 

The  circuit  accepts  two  values  and  after  a  given  number  of  clock  cycles  yields  their 
product.  The  values  are  represented  as  unsigned  n-bit  vectors  Ini  and  Ml  while 
the  output  Out  is  a  2n-bit  vector  In  addition,  there  are  two  input  hits  Ck  and  Ld 
for  controlling  operation.  The  signal  Ck  serves  as  the  clock  input  and  Ld  initiates 
the  loading  of  the  vectors  to  be  multiplied.  The  field  count  tells  how  many  dock 
cycles  are  required.  The  values  cl,  cl  and  c3  are  timing  coefficients  used  in  the 
behavioral  description. 

§10.1  Specification  of  Multiplier 

The  multiplier  is  first  specified  by  means  of  the  predicate  htuMpti*r(ht).  We 
then  develop  an  iterative,  timing-independent  multiplication  algorithm  that  coin- 
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putes  a  product  by  a  series  ofiucewhw  additions.  Later,  the  predicate  hnplementation{H) 
characterises  a  device  that  computes  toms  sad  in  fact  has  the  algorithm’s  steps  em¬ 
bedded  within  it.  A  logical  implication  is  then  given,  showing  how  Implementations) 
realises  MultipUer(M). 

Definition  of  Multiplier: 

Here  is  the  main  predicate: 

Multiplier(M)  =d«f 
MultStructure[M) 

A  0  Caleulate(M) 

Definition  of  MultStructure: 

The  multiplier  has  the  following  structure: 

MultStructure(Af)  =d«r 
M:  »truet\ 

(Ck,Ld):  Bit,  %Inputs 

{Inl,In2):Bit* 

Out:  Bit2*  %  Outputs 

(n,  count):  not,  %  Parameters 

el,  c2,  c3:  time 

] 

Definition  of  Calculate: 

II  the  inputs  behave  as  specified  by  the  predicate  Control,  the  output  Out  ends 
up  with  the  product  of  the  initial  values  of  Ini  and  In3. 

Caleulate(M)  a*d«r 
Control(M)  D 

[nval(Inl)  -  nval(2n?)]  -*•  nval(Out) 
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Definition  of  Ct“kr 

The  predicate  Control  describes  the  required  sequencing  of  the  inputs  so  that 
a  multiplication  takes  place.  The  computation  first  loads  the  circuit  and  then  keeps 
the  load  line  inactive  while  the  clock  is  cycled. 

Control(M)  =def  Load{M)]  ([. Ld  @sj  0)  a  Cycling(M)) 

Definition  of  Load: 

Loading  is  done  as  indicated  by  the  predicate  Load.  The  clock  is  cycled  as 
given  by  the  predicate  Single  Cycle.  The  control  signal  Ld  starts  with  the  value  1 
and  together  with  the  other  inputs  Ini  and  In2  remains  initially  stable  as  long  as 
the  cluck  input  Ck  does. 

Load{M)  sdmt 

Single Oycle(M)  a  beg(Ld  —  1)  a  Ck  blk{Ld,Inl,In3) 

Definition  of  Single  Cycle: 

An  individual  clock  cycle  consists  of  a  negative  pulse: 

Single  Cycle(M)  £«i.r  |tel-e2’e3Ck 

The  clock  signal  falls  from  1  to  0  and  then  rises  back  to  1.  The  three  times  given 
indicate  the  minimum  widths  of  the  levels  during  which  the  clock  is  stable. 

Definition  of  Cycling: 

The  overall  cycling  of  the  clock  is  as  follows: 

Cycling[M)  mM  {Single  Cycle{M))^ni 

A  total  of  count  individual  cycles  must  be  performed  one  after  the  other,  where 
each  is  a  negative  pulse  satisfying  the  predicate  SingleCyele. 
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Variants  of  ths  specification 

The  predicate  Multiplier  does  not  represent  the  only  way  to  describe  the  mul¬ 
tiplier  circuit.  Alternative  approaches  based  on  internal  variables  can  be  shown  to 
be  formally  equivalent  to  the  one  given  here.  A  useful  extension  to  this  description 
specifies  that  once  the  output  is  computed,  it  remains  stable  as  long  as  the  control 
inputs  do.  If  desired,  additional  quantitative  timing  details  can  readily  be  included. 

$10.2  Development  of  Multiplication  Algorithm 

The  specification  predicate  Multiplier  intentionally  makes  no  reference  to  any 
particular  technique  for  multiplying.  Since  the  process  of  multiplication  does  not 
generally  depend  on  any  specific  circuit  timing,  it  is  natural  to  separate  algorithmic 
issues  from  other  implementation  details.  We  now  use  ITL  as  a  basis  for  deriving  a 
suitable  circuit- independent  algorithm  for  determining  the  product  and  in  the  next 
section  as  a  means  for  describing  hardware  that  realises  this  method.  The  synthesis 
process  can  be  viewed  as  a  proof  in  reverse,  starting  with  the  goal  and  ending  with 
the  necessary  assumptions  to  achieve  it. 

The  aim  here  is  to  obtain  an  algorithm  describing  some  way  for  doing  the 
multiplication.  The  variables  n,  Ini,  In2  and  Out  are  represented  as  fields  of  a 
variable  A.  The  predicate  Goal  below  specifies  the  desired  result: 

Goal(A)  5*d.r 

[n«al(/ni)  •  nvo/(/n2)]  —*  nval(Out) 

The  output  Out  should  end  up  with  the  product  of  the  data  inputs  Ini  and  In2.  The 
presentation  given  here  reduces  the  problem  of  multiplying  the  two  rv-bit  vectors  to 
that  of  using  repeated  additions  to  determine  successively  larger  partial  products. 
The  algorithm  consists  of  initialisation  followed  by  n  successive  iterations.  After  % 
iterations  of  the  loop,  for  »  £  n,  the  initial  product  of  Ini  and  the  least  significant 
s  bits  of  M2,  that  is, 

nval{Inl)  •  nval(In2\i  —  1 1©0}) 

Is  senapetsd  and  available  in  the  upper  n+t  bits  of  Out  .  Recall  that  the  subecripting 
brackets  Q  index  a  vector  from  the  right.  Although  neither  Ml  nor  M2  is  guaranteed 
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to  remain  stable,  their  initial  values  must  be  used  throughout  the  calculation.  The 
lower  n  —  t  bits  of  Out  hold  the  unexamined  bits  of  Ini  (i.e.,  Ini{n  —  1  tot}).  In 
addition,  an  extra  n-bit  variable  Temp  is  introduced  in  order  to  remember  the 
original  value  of  Ml.  The  following  figure  informally  depicts  the  situation  after  * 


steps: 


partial  product 


Out :  nval(Inl)  •  nval(M2{i  —  ltoOj)  |  In2{n  —  1  to  »{] 


rest  of  M2 


2n—  1 

w  - - 


n—i  ii-M 


0 


n  + 1  bits 
value  of  Ml 


n  —  i  bits 


Temp: 


Ml 


After  n  steps,  Out  equals  the  desired  2n-bit  multiplication  result. 

The  predicate  Assert  below  precisely  specifies  this  behavior  over  t  iterations 
for  i  in. 

At»ert{A,  t)  s,ur 

[nva/(/nl)  •  nval(In2{i  —  1  to  0})]  — »  nval( Out{2n  —  1  to  n  —  *j) 

A  In2\n  —  1  to  *'}  —►  Out{n  —  t  —  1  to  0} 
a  Ml  Temp 


After  n  steps,  the  product  must  be  computed.  For  i  —  n,  Aneert  indeed 
observes  this  requirement: 

*  Auert(A,n )  o  Goal  (A)  (*) 

Expressed  in  the  logic,  the  algorithm  takes  the  following  form: 

Init(A);  (Step{A))n 

In  the  next  two  sections,  the  predicates  Mit  and  Step  are  given  in  detail.  Both  Mit 
and  Step  are  derived  so  as  to  maintain  Assert  after  looping  i  times  for  any  t  i  n: 

[tin  a  lmt(A);(5tep(A))<]  3  A»$ert(A, t)  (*♦) 
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81dm  this  formula  if  «  goal  ad  Mi  ft*  *  property,  m  ask  8m  nMHy  qnM  * 
The  larmulas  (*)  ead  (**)  tofetker  ensure  that  n  tteraliaa  of  the  loop  calculate 
the  product: 

hUt(A)i  {Step{A))n  o  GoaI(A) 

Deriving  the  predicate  Inti 

The  initialisation  requirement  can  be  obtained  b y  making  sure  Init  satisfice 
Assert  for  i  *■  0: 

Init(A)  O  As$ert(A,  0) 

Simplification  of  Assert  yields  the  constraint 
Init[A)  3 

0  -*  nval(Ovt{2n  —  ltoti}) 

A  In2  -+  Oat(n  —  1  toO} 
a  Ini  —*■  Temp 

This  can  be  achieved  by  the  definition 
Init(A)  m+t 

{0)n  — r  0%t[2n  —  1  ten} 
a  Jnfi  — ►  Cat(n  —  1  toO} 
a  Ini  -*■  Temp 

where  (0)"  equals  an  n- element  list  of  O's. 

Deriving  the  predicate  Step 

The  iteration  step  should  be  constructed  so  that  after  t  iteratioae  far  ay  t  <  n, 
Step  cam  indacthrely  widen  the  scope  of  the  aseertion  to  »  + 1  hicrementa: 

[*'  <  n  a  Ass«rt(A,t>,5t«p(A)]  3  A*e*rt(A,t  + 1) 


CHAPTER  10— MULTIPLICATION  CIRCUIT 

Each  st«p  achieves  this  by  selectively  adding  Temp's  n  bits  to  Out,  depending  on 
Out's  least  bit,  Out{0}.  Only  the  top  n  bits  of  Out  are  actual  inputs  for  the  sum. 
The  top  n  +  1  bits  store  the  rfesult.  The  remaining  n  —  1  bits  of  Out  are  simply 

shifted  right.  For  Temp  the  requirement  reduces  to  the  formula 
Step(A)  D 

Temp  —*  Temp 

This  guarantees  that  Temp  continues  to  remember  the  initial  value  of  Ini . 

The  constraint  for  Out  is 
Step(A)  3 

[nva/(Out{2n  —  1  ton})  +  Out{0}  •  nvo/(Temp)] 

— *■  nval(  Out[2n  —  1  to  n  —  1}) 

a  Out\n  —  1  to  1}  — ►  Out[n  —  2  to  0} 

Thus  the  overall  incremental  step  can  be  realized  by  the  definition 
Step{A)  =det 

[nva/( Out{2n  —  1  ton})  +  Out{0}  *  nval[ Temp)] 

— *•  nval(  Out{2n  —  1  to  n  —  1}) 

a  Out}n  —  1  to  1}  — ►  Out[n  —  2  to  0} 
a  Temp  —*  Temp 

$10.3  Description  of  Implementation 

The  circuit  specified  below  performs  the  iterative  algorithm  just  given.  The 
definition  includes  relevant  timing  information  and  is  broken  down  into  parts  describ¬ 
ing  the  implementation’s  physical  structure  and  behavior.  The  primary  predicate 
Implementation  overviews  operation.  The  device’s  fields  are  shown  by  ImpStructure. 
The  predicate  LoadPhaae  specifics  device  operation  for  initially  loading  the  inputs. 
Once  this  is  achieved,  the  predicate  MultPhose  indicates  how  to  perform  the  in¬ 
dividual  multiplication  steps. 

Implementation (H)  £<i«r 

ImpStrueture{H) 

a  ®(LoadPhase(H)  a  MvltPha$e[H)) 
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Definition  of  hnpS true  turn: 


The  structure  of  the  implementation  differs  from  that  of  the  original  specification 
by  the  addition  of  the  internal  states  Temp  and  Statue  and  by  the  omission  of  a 
count  field  giving  the  required  number  of  clock  cycles  for  computing  a  product.  The 
vector  Temp  maintains  the  value  of  Ini .  The  bit  signal  Statue  equals  1  -when  the 
device  is  in  a  steady  state.  The  specification  given  below  shows  how  to  set  Statue 
to  1  and  keep  it  at  this  value. 


ImpStruc  ture{H)  =  def 

H:  etruct  [ 

( Ck,  Ld):  Bit, 
{Ini ,  In2):  Bitn 
Out:  Bit2* 
Temp :  Bit*, 
Statue:  Bit 
n:  nat, 

cl,  c2,  c 3:  time 

] 


%Inputs 

%Outputs 

^Internal 

%  Parameters 


An  external  form  of  the  complete  specification  would  in  effect  existentially  quantify 
over  the  fields  Temp  and  Statue. 

Definition  of  LoadPhaee: 

The  body  of  LoadPhaee  specifies  how  to  load  the  inputs  as  described  in  the 
algorithm: 

LoadPhaee(H)  sder 

Load{H)  3  [init(H)  a  fin{Statue  =  1)] 

The  predicate  Load  gives  the  required  loading  sequence  for  the  circuit  inputs.  The 
predicate  Init  refers  to  the  algorithm’s  initialisation  predicate.  Once  loading  is 
complete,  the  field  Statue  is  set  to  1,  indicating  that  the  device  is  ready  to  proceed 
with  the  multiplication.  The  definition  of  Load  is  identical  to  that  of  its 
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in  Multiplier: 

Load(H)  =d0f 

Single  Cycle(H)  a  beg(Ld  =  1)  A  Ck  blk  {Ld,  Ini ,  In2) 
Individual  clock  cycles  are  also  defined  as  in  Multiplier: 

Single  Cyele(H)  =def  tfel>ea>e3Ck 


Definition  of  MultPhaee : 

When  the  load  signal  is  inactive  at  0  and  the  device  is  steady  (i.e.,  5fafu3=l), 
the  circuit  can  be  clocked  to  perform  a  single  iteration.  The  algorithm’s  predicate 
Step  takes  place  over  two  clock  cycles.  Afterwards,  the  device  is  again  steady  with 
Status  equaling  1. 

MultPhase(H)  ==<i*r 

[Ld  s=a  0  a  ( SingleCyele{H ))8  a  beg(Status  —  1)] 

3  [Step(H)  a  fin(Status  =  1)] 


Implementation  theorem 

The  correspondence  between  the  implementation  Implementation  and  the  original 
multiplier  device  specification  Multiplier  is  now  given  by  the  theorem 

b  Implementation (H)  D  Multiplier(M) 

where  the  mapping  from  H’n  fields  to  M’s  is 

M\field]  «a  H[field\,  for  field  €  '{Ini,  In2,  Out) 

M.n  =  H.n 

M. count  mm  2  H.n 
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M\field]  =  H[field],  for  field  £ '{cl,  c2,c3} 

The  value  of  M.eount  corresponds  to  the  2 n  clock  cycles  needed  for  doing  the 
iterative  computation. 

The  behavioral  description  Implementation  can  itself  be  realised  by  some  evea 
lower-level  specification  containing  further  details  about  the  tuning  and  using  a  still 
more  concrete  algorithm.  For  example,  the  iterative  steps  are  decomposible  into 
separate  adds  and  shifts.  If  desired,  the  development  ultimately  examines  such 
things  as  propagation  through  gates. 
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THE  AM2901  BIT  SLICE 


The  Am2901  bit  slice  is  a  member  of  a  popular  family  of  integrated  circuits 
developed  by  Advanced  Micro  Devices,  Inc.  for  building  processors  and  controllers. 
The  next  page  contains  a  block  diagram  of  the  device.  An  individual  Am2901  chip 
consists  of  four-bit  slices  of  an  arithmetic  logic  unit,  memory,  bus  interface  and 
other  elements.  These  internal  devices  are  connected  together  so  as  to  provide 
various  ’ways  for  computing  and  storing  values.  The  next  page  contains  a  block 
diagram.  A  group  of  m  Am2901  chips  can  be  connected  to  form  circuits  of  bit 
length  4m.  We  give  a  functional  description  of  the  Am2901  based  on  information 
contained  in  the  Am2900  series’  data  book  [1].  The  temporal  description  is  almost 
operational  enough  to  be  used  as  input  to  a  suitable  simulator.  The  reader  desiring 
a  detailed  introduction  to  the  Am 2900  circuit  family  and  its  applications  should 
consult  the  Am2900  data  book  [1],  Mick  and  Brick  [34]  or  Siewiorek  et  al.  [43]. 
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CHAPTER  11— THE  AM2901  BIT  SLICE 
Definition  of  BitSiiet Structure: 

Here  are  the  various  signals  and  parameters  used  in  our  description  of  a  general¬ 
ised  n-bit  bit  slice: 

BitSliceStructure(N)  =def 
N :  atruct[ 

Source:  aig(aourceaet),  %Inputs 

Pune:  aig{funcaet), 

Dest:  aig(destaet), 

D:  Bitn, 

(AAddr ,  BAddr):  jtg([0to  15]), 

( QLab ,  QMab ):  Bit, 

(RamLab,  RamMsb):  Bit, 

{Garry In,  OB):  Bit, 

Y :  Bitn,  %Outputs 

( CarryOut,  Gen,  Prop):  Bit, 

{FZero,  FMtb):  Bit, 

Ram:  {Bitn)ia,  ^Internal 

{Q,  F,  R,  S):  Bitn 

n:  positive  %Parameters 

] 

In  the  description  of  the  bit  slice,  we  represent  the  control  input  Source  as  a  signal 
ranging  over  the  elements  of  the  set  aoureeaet : 

aourceaet  —dmf  ’{AQ,  AB,  ZQ,  ZB,  ZA,  DA,  DQ,  DZ} 

The  inputs  Func  and  Deat  range  over  similar  sets: 

funcaet  **d«f  ’{add,  tuba,  or,  and,  notrs,  ezor,  exnor} 

destaet  ,{qreg,nop,rama,ramf,ramqd,ramd,ramqu,ramu } 

The  mnemonics  are  those  used  in  the  Am2901's  data  book  description.  A  lower- 
level  specification  of  the  circuit  can  represent  these  fields  as  bit  vectors.  Similarly, 
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the  approach  taken  here  has  the  ad  drees  fields  AAddr  and  BAddr  range  over  the 
integers  0, . . . ,  15;  a  more  detailed  description  can  instead  use  bit  vectors  of  length 
4. 

Please  note :  Throughout  this  description  we  refer  to  a  vector  Vs  most  significant 
bit  as  V[0j.  The  least  significant  bit  is  V[n  —  1],  -where  n  =  (VI.  This  is  the  op¬ 
posite  of  the  style  used  in  the  Am2901  data  book  but  is  consistent  with  the  general 
convention  taken  elsewhere  in  this  thesis. 


Definition  of  BitSliee: 

The  slice’s  behavior  can  be  broken  down  into  separate  parts  for  the  random- 
access  memory,  Q-register,  arithmetic  unit  and  bus  interface: 

BitSliee[N) 

BitSlieeStrueture[N ) 
a  RomPart(N) 
a  QRegPart{N) 
a  AluPart(N) 
a  BusPart(N) 


$11.1  Behavior  of  Random-Access  Memory 

The  memory  section  has  individual  predicates  for  modifying  the  memory,  the 
memory’s  end-bits  RamLsb  and  RamMsb  and  the  two  output  latches  A  and  B. 

RamPart{N) 

SetRam(Ram,  Dest,  BAddr,  F,  RamLsb,  RamMsb,  n) 
a  SetRamLsbMsb(RamLsb,  RamMsb,  Dest,  F,  n) 
a  SetAB[A,B,  Ram,  AAddr,  BAddr) 
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Definition  of  SetRam: 


In  the  description  of  the  memory,  we  nee  the  predicate  rdel  to  refer  to  the 
unit-delay  predicate  del  bat  with  the  operands  reversed: 

U  rdel  V  sd.f  V  del  U 

Here  is  the  predicate  SetRam  itself: 

SetRam(Ram,  Dest,  BAddr,  F,  RamLab,  RamMab,  n)  sdef 
( ease  Dest  of 

qreg:  Ram 
nop :  Ram 

rama:  alter  [Ram,  BAddr,  F) 

Ram  rdel  i  ramf :  alter(Ram,  BAddr,  F) 

ramqd :  alter(Ram,  BAddr,  (RamMab)  ||  F[0  ton  —  2]) 
ramd :  alter(Ram,  BAddr,  (RamMab)  j|  F[0  to n  —  2]) 
ramqu:  a lter(Ram,  BAddr,  F[1  ton  —  1]  ||  (RamLab)) 
romu:  a Iter  (Ram,  BAddr,  F[l  to  n  —  1]  ||  (RamLab))  ) 
Most  of  the  operations  alter  the  element  of  Ram  selected  by  the  input  BAddr. 


Definition  of  SetRamLabMab: 

The  predicate  SetRamLabMab  takes  into  account  the  high-impedance  aspects 
(see  section  §4.12)  of  both  end-bits  RamLab  and  RamMab: 

SetRamLabMab(RamLab,  RamMab,  Deat,F,n)  sdef 
/  cose  Deat  of  \ 

qreg:  true 
nop:  true 
rama:  true 
(3 1  ramf:  true 

ramqd:  RamLab  =  F[n  —  1] 
ramd:  RamLab  mm  F[n  —  1] 
ramqu:  RamMab  =  F[0j 
romu:  RamMab  =*  F[0j  j 
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Definition  of  SetAB: 

The  latch  A  always  equals  the  memory  word  addressed  by  AAddr.  A  similar 
relation  holds  between  B  and  BAddr. 

SetAB(A,B,  Ram,  AAddr,  BAddr)  =dof 

( A  ca  Ram  [AAddr ])  a  (B  Ram  [BAddr]) 


§11.2  Behavior  of  Q-Register 

The  description  of  the  Q-register  has  a  predicate  SetQ  for  Q  and  another 
predicate  QLsbMab  for  using  the  end-bits  QLsb  and  QMab. 

QRegPart{N)  =def 

SetQ(Q,  Dest,  F,  QLsb,  QMab,  n) 
a  SetQLabMab(  QLab,  QMab,  Deat,  Q,  n) 


Definition  of  SetQ: 


SetQ(Q,Deat,F,  QLab,  QMab,n) 
/case  Deat  of 

qreg :  F 
nop:  Q 
rama:  Q 


=d»r 


Q  rdel 


ramf:  Q 

ramqd:  ( QMab)  ||  Q[0  to  n  —  2] 
ramd:  Q 

ramqu:  Q[l  to  n  —  l]  ||  ( QLab) 
ramu:  Q 


116 


CHAPTER  11— THE  AM2901  BIT  SUCE 


Definition  of  SetQLtbMtb: 

Both  end- bit*  QLtb  end  QMtb  can  float  in  a  state  of  high  impedance  (see 
section  $4.12).  This  is  taken  care  of  in  the  following  predicate: 


$11.3  Behavior  of  Arithmetic  Logic  Unit 

The  arithmetic  logic  unit's  specification  has  predicates  associated  with  the 
many  signals  originating  in  this  part  of  the  slice. 

AJuPart(N)  ssjmt 

SetRS(R,  S,  Source,  A,  B,  D,  Q,  n) 
a  SetF[F,  Pune,  R,  S,  Corryln,  n) 

A  SetCarryOut(  CorryOut,  Pune,  R,  S,  Corryln,  n) 
a  SetOverflov>(  Overflow,  Pune,  R,  S,  Corryln,  n) 
a  Set Gen(Cen,  Pune,  R,  S, n) 
a  SetProp(Prop,  Pune,  R,  S,  n) 
a  SetF ZeroFMt b ( FZ e ro ,  FMtb,  F, ») 
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Definition  of  SetRS: 

SetRS  {R,S,  Source,  A,  B,D,Q,n) 
re<ue  Deat  of 

AQ:{A,Q) 

AB:  {A,  B) 

ZQ:  (zero,  Q) 

(R,  S)  ZB:  {zero,  B) 

ZA •  {zero,  A) 

DA:  {D,A) 

DQ:{D,Q) 

^  DZ:{D,zero) 

where  zero  =  (0)n,  that  is,  a  sequence  consisting  of  n  repetitions  of  0. 

Definition  of  SetF: 

The  following  predicate  shows  arithmetic  behavior  for  bit-vectors  representing 
unsigned  numbers: 

SetF{F,  Pune,  R,  S,  Carryln,  n)  =d«f 
cose  Pune  of 

add:  nvai(F )  =  [nva/(f?)  +  nval(S)  +  Carryln]  mod  2* 
aubr:  nval(F)  =  (nvai(-'R)  +  nval(S)  +  Carryln]  mod  2* 
subs:  nvai(F)  =  [ nval(R )  +  nvaI(-<S)  +  Carryln]  mod  2" 
or:  F  =  (J?  v  S) 

and:  F  —  (J?  a  5) 
notra:  F  —  ((’’R)  a  5) 
exor:  F  =  {R  ©  5) 
exnor:  F  =  ~>{R  ©  S) 

Here  the  operator  ©  represents  exclusive-or.  The  Boolean  operations  such  as  it  a  5 
are  applied  bitwise  to  the  vectors.  The  table  can  be  augmented  with  information 
about  arithmetic  operations  using  one’s  and  two’s- complement  representations. 


118 


CHAPTER  11— THE  AM2901  BIT  SLICE 


Definition  of  SetCarryOut: 


In  the  cam- expression  given  below,  hyphens  indicate  unspecified  entries  and 
are  not  partial  values;  a  more  detailed  description  could  fill  them  in.  The  function 
carry  determines  the  resulting  carry  output  and  is  defined  in  section  §6.4  in  the 
discussion  of  carry  look-ahead  adders. 


SetCarryOut(CarryOut,  Pane,  R,  S,  Carryln,  n)  =def 

''case  Fane  of  > 

add:  earry(n,  nval(R),  nval(S),  Carryln) 
aabr:  earry[n,  nval(^R),  nval(S),  Carryln) 
su6s:  earry(n,  nval(R),  nval^S),  Carryln) 


Carry  Oat 


or: 


and:  - 
notra:  - 
exor:  - 

V  exnor:  -  ' 


Definition  of  SetOver float: 


In  determining  the  overflow  bit’s  value,  the  two’s- complement  interpretations  of 
the  incoming  bit  vectors  R  and  S  are  used.  The  function  tcval(X)  takes  a  bit  vector 
$  and  computes  its  numerical  value  based  on  representation  by  two’s  complement: 


tcval(£)  38d«f  if  =  0  then  nvai(Jt)  else  —  [2*^  —  nva/(J^)] 


SetOverflow(  Overflow ,  Pane  ,R,S,  Carryln,  n) 

/case  Pune  of  y 

add:  overflow(n,  tcval(R),  tcval(S),  Carryln) 
si ibr:  overflow(n,  tcval(^R),  teval{S),  Carryln) 
*u6s:  overflow(n,  tcval[R),  tcval(^S),  Carryln) 


Overflow  as 


or: 


and:  - 
notra :  - 
exor :  - 
exnor:  - 


/ 
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Here  the  function  overflow  equals  1  iff  two's-complement  overflow  it  occurinf  and 
is  defined  as  follows: 

overflow(n,  i,  j,  c»)  =def  if  —  2n~l  £  (t  +  j  4-  e»)  <,  2n_1  —  1  then  0  else  1 
Both  parameters  i  and  j  can  range  over  negative  and  nonnegathre  integers. 


Gen 


Definition  of  Set  Gen  and  SetProp: 

The  predicates  Set  Gen  and  SetProp  describe  the  bit  slice’s  carry- lookahead 
signals.  The  functions  carrygen  and  carryprop  are  defined  in  section  §6.4. 
SetGen(Gen,  Pune,  R,  S,  n)  =def 
( ease  Pune  of 

add:  -,carrygen(n,  nval(R),  nvat(S)) . 
eubr:  -  carry gen(n,nval(-'R),nvat(S)) 
subs:  -'carrygen(n,nvai(R),nval(-‘S)) 

«l  or:  - 
and:  - 
noire:  - 
ezor:  - 
\  exnor :  - 

SetProp(Prop,  Fune,  R,  S,  n)  sd.r 

(cate  Pune  of  \ 

add:  -’co rryprop[n,  nvai{R),  nval[S)) 
eubr:  ~-ea rryprop(n,  nval(-'R),  nval(S)) 
tube:  ~-carryprop(n,  nval(R),  nval(-,S)) 

Prop  as  |  or: 

and:  - 
notre:  - 
ezor:  - 
exnor:  - 

Definition  of  SetFZeroFMeb: 


The  values  of  the  bit  signals  FZtro  and  FMtb  are  derived  from  F: 
SetFZeroFMeb(FZero,  FMeb  ,F,n) 

(FZtro  m  if  (F  »  {0)*]  then  1  else  0)  a  (FMeb  ss  F[0]) 
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§11.4  Behavior  of  Bus  Interface 

BuaPart(N)  =def 

SetY(Y,Deai,F,A^E) 

Definition  of  SetY : 

When  the  signal  TJE  equals  0,  the  bus  interface  Y  is  enabled  and  receives  a  value 
according  to  the  case  formula.  When  the  bus  interface  is  disabled  with  OE  equaling 
1,  Y’a  behavior  is  left  unspecified,  thus  modeling  the  effects  of  high  impedance. 

SetY{Y,De$t,F,A,'OE)  =d.f 

/ease  Deat  of\ 


m\(OE  =  0)  3  (Y  = 


rama:  A 
ramf :  F  )J 
ramqd:  F 
ramd :  F 
ramqu:  F 
ramu :  F  J 


§11.5  Composition  of  Two  Bit  Slices 

The  predicate  Combine  TwoBitSlicea  describes  how  to  combine  two  bit-slices  in 
parallel  to  form  a  larger  one.  The  bit  slice  M  contains  the  more  significant  bits  and 
L  contains  the  less  significant  ones. 

Combine  Tv>oBitSlicea{  M,  L)  =def 

BitSliee(M)  a  BitSlice(L) 

A  M[field]  Rs)  L[field], 

for  field  €  ’{Source,  Pune,  Deat,  AAddr,  BAddr,  OE} 

A  ( M.RamLab  «=>  L.RamMab)  a  ( M.QLab  i=a  L.QMab) 

A  (M.Carryln  esa  L.CarryOnt) 
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The  next  property  expresses  how  the  implementation’s  various  signals  are 
mapped  to  the  overall  bit  slice: 

►  CombincTwoBitSlices(M ,  L)  3  BitSlice(N) 
where  the  tuple  N  is  constructed  as  follows: 

N\field\  »  M[field\, 

for  field  €  ’{Source,  Func,  Beat,  AAddr,  BAddr,  OF} 
N[field]  »  M\field],  for  field  €  '{QMab.RamMab,  CarryOut,  FMsb} 
N\field ]  L[field\,  for  field  €  ’{  QLsb,  RamLsb,  Carryln} 

N\field]  «  M[field]  ||  L\field], 

for  field  €'{D,Y,Q,F,R,S} 
lV.f?am(»]  sw  MAam[t]  ||  L.Ram [i],  for  0  S  *  £  15 
N.Gen  »  [Af.<?en  a  (M.Prop  v  L.ZTen)] 

N.Prop  [M.Prop  v  L.Prop) 

N.FZero  (M.FZero  a  L.FZero ) 

JV.n  =  A/.n  +  L.n 

§11.6  Timing  Details 

The  predicate  BitSliee  presented  here  contains  little  quantitative  information 
about  timing.  For  example,  the  bit  slice’s  clock  input  is  not  mentioned.  One  way  to 
include  timing  details  is  by  giving  behavioral  descriptions  at  a  level  similar  to  those 
discussed  in  previous  chapters.  For  example,  the  arithmetic  unit  can  be  specified 
in  a  manner  similar  to  that  used  in  the  predicates  BasicAdder,  DetailedAdder 
and  Carry LookAheadAdder .  A  predicate  such  as  ShiftRegitter  can  be  modified  to 
capture  the  behavior  of  the  Q-register. 
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DISCUSSION 


§12.1  Related  Work 

We  now  mention  some  related  research  on  the  semantics  of  hardware.  Gordon’s 
work  [15,16]  on  register-transfer  systems  uses  a  denotational  semantics  with  par¬ 
tial  values  to  provide  a  concise  means  for  reasoning  about  clocking,  feedback, 
instruction-set  implementation  and  bos  communication.  Talantsev  [47]  as  well  as 
Betancourt  and  McCluskey  [7]  examine  qualitative  signal  transition  concepts  cor¬ 
responding  to  and  [X.  Wagner  [49]  also  uses  such  constructs  as  \X  in  a 
semi-automated  proof  development  system  for  reasoning  about  signal  transitions 
and  register  transfer  behavior.  Malachi  and  Owicki  [28]  utilise  a  temporal  logic  to 
model  self-timed  digital  systems  by  giving  a  set  of  axioms.  Bochmann  [9]  uses  a 
linear-time  temporal  logic  to  describe  and  verify  properties  of  an  arbiter,  a  device 
for  regulating  access  to  shared  resources.  The  presentation  reveals  some  tricky 
aspects  in  reasoning  about  such  components. 

Leinwand  and  Lamdan  [26]  present  a  type  of  Boolean  algebra  for  modeling 
signal  transitions.  Applications  include  systems  with  feedback  and  critical  timing 
constraints.  Patterson  [36]  examines  the  verification  of  firmware  from  the  standpoint 
of  sequential  programming.  Meinen  [33]  discusses  a  semantics  of  register  transfer 
behavior.  McWilliams  [27]  develops  computational  techniques  for  determining  tim¬ 
ing  constraints  in  hardware.  Eveking  [13]  uses  predicate  calculus  with  explicit  time 
variables  to  explore  verification  in  the  hardware  specification  language  Con lan. 
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A  number  of  people  have  need  temporal  logics  to  describe  computer  communica¬ 
tion  protocols  [18,25,40].  Bernstein  and  Harter  [6]  augment  linear- time  temporal 
logic  with  a  construct  for  expressing  that  one  event  is  followed  by  another  within 
some  specified  time  range.  This  facilitates  the  treatment  of  .various  quantitative 
timing  issues.  Recently  Schwarts  et  ai.  [41]  have  introduced  a  temporal  logic  for 
reasoning  about  intervals.  They  distinguish  intervals  from  propositions. 

The  research  mentioned  above  has  made  large  strides  in  developing  a  seman¬ 
tics  of  digital  systems.  However,  for  our  purposes  much  of  this  work  either  has 
difficulties  in  treating  quantitative  timing,  lacks  rigor,  is  unintuitive  or  does  not 
easily  generalise.  This  seems  unavoidable  due  to  the  magnitude  of  the  problem 
area.  We  note  that  the  computational  models  used  in  works'  on  temporal  logic 
generally  interleave  the  executions  of  different  processes.  In  the  treatment  of  digital 
circuits,  this  approach  seems  inappropriate.  We  have  chosen  instead  to  model  true 
parallelism.  The  semantics  of  the  connective  logical- and  (  a  )  appear  to  directly 
correspond  to  this. 

It  might  seem  that  temporal  logic  is  simply  a  subset  of  dynamic  logic  [19,37]. 
However,  once  interval-dependent  constructs  are  added,  this  is  no  longer  the  case. 
Operators  such  as  semicolon  and  yields  are  not  directly  expressible  in  dynamic  logic. 
Furthermore,  the  descriptive  styles  used  in  dynamic  logic  and  temporal  logic  differ 
rather  greatly.  Dynamic  logic  and  process  logics  [11,20,38]  stress  the  interaction 
between  programs  and  propositions.  ITL  is  expressive  enough  to  conveniently  and 
directly  specify  a  variety  of  programs  containing  such  constructs  as  assignments, 
while-loops  and  procedures.  Our  current  view  is  that  the  addition  of  program 
variables  would  be  redundant. 

Lamport  [25]  feels  that  temporal  logic  is  a  valuable  tool  but  advocates  against 
the  use  of  the  operator  next  by  claiming  that  this  introduces  unnecessary  granularity 
into  the  reasoning  process.  We  do  not  agree  and  believe  that  explicit  access  to  dis¬ 
crete  state  transitions  is  invaluable  when  dealing  with  such  concepts  as  iteration  and 
feedback.  Furthermore,  temporal  logic  appears  to  be  flexible  enough  to  facilitate 
projecting  out  critical  points  in  a  computation  so  as  to  ignore  intermediate  states. 
Thus,  specifications  and  theorems  that  assume  a  certain  degree  of  atomicity  can  be 
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generalised.  If  temporal  logic  is  itself  need  as  a  programming  language,  constructs 
such  as  del  that  are  based  on  O  occupy  a  snug  and  secure  place  in  the  overall 
formalism. 

§12.2  Future  Research  Directions 

There  are  many  aspects  of  interval  temporal  logic  that  require  more  investiga¬ 
tion.  We  now  point  out  a  few. 

Proof  theory 

All  the  valid  properties  presented  in  this  thesis  have  been  justified  on  the 
basis  of  ITL’s  semantics.  Work  should  be  done  on  suitably  axiomatising  various 
parts  of  the  logic  and  automating  some  of  the  proof  process.  For  example,  if  bit 
signals  are  represented  as  truth  values,  simple  versions  of  temporal  constructs  such 
as  stability  (atb)  and  unit  delay  (del)  can  be  expressed  and  reasoned  about  using 
existing  propositional  linear-time  temporal  logics  [14]  and  their  axiomatizations  and 
decision  procedures.  Using  a  program  written  by  Frank  Yellin,  we  have  already 
automatically  established  properties  such  as  the  following: 

K  [T*  A  t Y)  3  Tpf  A  Y) 

h  ( XdelX )  =  atbX 

Some  variants  of  temporal  logic 

There  are  a  variety  of  operators  and  concepts  that  can  be  added  to  temporal 
logic.  We  discuss  some  here. 

Ignoring  intern  ala 

Many  of  the  concepts  presented  here  can  generally  be  expressed  in  linear-time 
temporal  logic  [31]  with  O,  □,  O  and  11.  In  section  §2.4  we  gave  a  linear  transla¬ 
tion  from  local  propositional  ITL  to  linear-time  temporal  logic  with  quantification. 
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However,  the  clarity  and  modularity  provided  by  eemicolon  and  other  intervalr 
dependent  conetructe  ia  often  lost.  A  more  detailed  understanding  of  the  various 
tradeoffs  involved  and  the  proper  roles  of  different  temporal  logics  should  be  devel¬ 
oped. 

Infinite  intervale 

In  the  semantics  already  given,  all  intervals  are  restricted  to  being  finite.  It  can 
however  be  advantageous  to  consider  infinite  intervals  arising  out  of  nonterminating 
computations.  As  we  mentioned  in  section  §2.4,  the  inclusion  of  such  intervals  does 
not  alter  the  complexity  of  satisfiability. 

Trace t 

The  trace  of  a  signal  A  in  an  interval  So. . .  sn  can  be  defined  as  the  sequence 
of  values  that  A  assumes: 

traee(A)  =  {(O' A):  0  £  *  £  len), 


that  is, 

trace(A)  =  (O0  A,  0 1  A, . . . ,  Olen  A) 

In  an  interval  of  length  n,  the  trace  of  a  variable  has  length  n  +  1. 

The  following  property  shows  how  to  express  unit  delay  by  comparing  the  traces 
of  the  input  and  output: 

►  (A  del  B)  =  [traee(A)[0  to  len  —  1)  =  trace(fi)[l  to  ten]] 

It  would  be  interesting  to  compare  the  use  of  traces  with  other  styles  of  specification. 

Projection 

Sometimes  it  is  desirable  to  examine  the  behavior  of  a  device  at  certain  points  in 
time  and  ignore  all  intermediate  states.  This  can  be  done  using  the  idea  of  temporal 
projection.  The  formula  wi  II  wt  in  an  interval  forms  a  subinterval  consisting  of 
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those  states  where  wi  is  true  and  then  determines  the  value  of  tt>2  in  this  subinterval: 

n^l  =  Xt0...tm|tu2]i, 

where  t<).  ,.tm  is  the  sequence  of  the  states  in  sq.  . .  sn  that  satisfy  u>i: 

=  true,  for  0  <  t  <  m 

Note  that  to-  •  •  *m  need  not  be  a  contiguous  subsequence  of  a<>-  •  •  ■sn.  If  no  states 
can  be  found,  the  projection  is  vacuously  true.  In  the  semantics  given  here,  the 
formula  w\  examines  states,  not  intervals.  For  example,  the  formula 

(X  =  l)n«t6A 

is  true  if  A  has  a  constant  value  throughout  the  states  where  X'  equals  1.  Variables 
like  X  act  as  markers  for  measuring  time  and  facilitate  different  levels  of  atomicity. 
If  two  parts  of  a  system  are  active  at  different  times  or  are  running  at  different 
rates,  markers  can  be  constructed  to  project  away  the  asynchrony.  Other  styles 
of  projection  are  also  possible.  For  example,  a  “synchronous”  form  of  projection 
might  require  the  marker  to  be  true  in  the  initial  and  final  states  of  an  interval. 

In  section  §2.3  we  showed  how  to  express  the  iterative  construct  w*  by  means 
of  a  marker  P: 

w*  =d«r  3P.(begP  a  C3  [beg  P  3  (empty  v  0[ti>  a  O  halt  beg  P))]) 

This  provides  a  general  means  for  identifying  the  end  points  of  the  iteration  steps 
and  extracting  them  using  projection.  It  is  even  desirable  to  have  variants  of  the 
iteration  constructs  for  making  markers  explicit.  For  example,  the  extended  while- 
loop 

while  p  Q  do  R 

indicates  that  P  marks  off  individual  steps.  Other  constructs  such  as  next  and  trace 
can  have  marker-oriented  variants. 

We  feel  that  low-level  clocking  and  propagation  details  in  digital  circuits  can 
be  more  effectively  decoupled  from  high-level  functional  behavior  through  the  in¬ 
troduction  of  markers  and  projection.  The  Am 2901  bit  slice  discussed  in  chapter 
11  might  be  a  good  test  of  this  hypothesis. 
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Additional  modification* 

Further  possible  extensions  include  interval  temporal  logics  based  on  branching 
or  probabilistic  models  of  time.  Operators  for  reversing  or  expanding  an  interval 
may  also  turn  out  to  be  useful. 

Temporal  types  and  higher-order  temporal  objects 

A  theory  of  temporal  types  needs  to  be  developed.  This  should  provide  various 
ways  of  constructing  and  comparing  types.  For  example,  the  predicate  p*  is  true 
for  vectors  of  arbitrary,  possibly  null  length  whose  elements  all  satisfy  p.  Thus,  the 
type  bit*  is  true  for  all  bit-vectors.  The  type  »ig(bit*)  is  true  for  any  bit  vector 
signal  with  a  possibly  varying  length.  The  temporal  type  Bit*  requires  that  the 
signal's  length  be  fixed  over  time: 

H  A :  Bit*  =  [A:  sig[bit*)  a  at6|A|] 

We  hope  to  permit  parameterised  types  such  as  aip(axt),  where  a  and  t  are 
type-valued  variables.  Operators  for  such  things  as  unioning  or  recursively  defining 
types  also  need  to  be  developed.  Perhaps  the  techniques  needed  here  can  be  made 
general  enough  so  that  any  unary  predicate  can  be  viewed  as  a  type. 

It  would  be  interesting  to  have  a  semantics  of  higher-order  temporal  objects 
such  as  time-dependent  functionals.  Perhaps  a  suitable  variant  of  proposition  ITL 
can  facilitate  some  sort  of  Godelisation  by  representing  all  values  as  temporal 
formulas.  Alternatively,  an  encoding  like  that  used  by  Scott  [42,45]  in  developing 
a  model  of  the  typeless  lambda  calculus  might  work.  However,  we  wish  to  strongly 
resist  the  introduction  of  partial  values.  One  concession  we  make  in  this  direction 
is  to  not  require  that  every  function  have  a  fixed  point. 

Temporsd  logic  as  a  programming  language 

Temporal  logic  can  be  used  directly  as  a  programming  language.  For  example, 
the  formula 


beg(I  mm  0)  a  [(/+!)  dell]  a  Aoft(/-5) 
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can  be  viewed  operationally  a*  initialising  7  to  0,  and  then  incrementing  7  by  1  over 
each  computation  step  until  7  equals  5.  At  that  instant,  the  computation  halts.  This 
style  of  temporal  programming  is  similar  to  the  language  Lucid  [2,4]  developed  by 
Ashcroft  and  Wadge.  Note  that  the  formula  given  above  has  the  same  semantics 
has  the  following: 

beg(I  =  0)  a  while  (7  5)  do  (skip  a  (7  +  1  — ►  7]) 

This  illustrates  how  by  using  ITL  we  can  compare  different  ways  of  expressing  the 
same  computation. 

In  general,  if  toi  and  ioj  are  temporal  formulas,  the  combined  form  v>i  a  wa 
operationally  specifies  that  v>i  and  u>2  be  run  in  parallel.  Note  that  wj  and  to?  are 
implicitly  synchronised  to  start  and  finish  at  the  same  time.  Similarly,  the  formula 
uq;ii;3  involves  running  tuj  and  then  u>3.  For  example,  the  formula 

(f0  — ►  2]  a  [0  7]);  while  (7  5^  n)  do  ([7  +  1  7]  a  [/  +  7  -*■  /)) 

clears  7  and  J  and  then  repeatedly  increments  7  and  simultaneously  sums  7  into  J. 
Asynchronous  operations  can  also  be  handled.  For  instance,  the  formula 

(• th  I  a  halt[X  =  1J);  [(7  +  1)  del  7] 

leaves  7  stable  until  the  flag  X  equals  1  and  then  keeps  increasing  7  by  1. 

Manna  and  Mostkowski  [20,30]  describe  how  to  reason  about  programming 
concepts  in  ITL  and  also  present  a  prototype  programming  language  called  Tempura 
that  is  based  on  the  ideas  just  given.  Along  with  the  programming  languages 
Lucid  and  Prolog  [24],  Tempura  has  the  property  of  having  a  semantics  based  on 
logic.  Much  work  remains  ahead  in  exploring  this  temporal  approach  to  language 
design  and  developing  practical  techniques  for  specifying,  executing,  transforming, 
synthesising  and  verifying  Tempura  programs.  We  strongly  feel  that  there  is  a 
large  potential  for  the  cross-  fertilisation  of  ideas  arising  from  simultaneously  using 
temporal  logic  as  a  hardware  specification  tool  and  as  a  basis  for  general-purpose 
programming  languages.  It  also  appears  worthwhile  to  examine  interpreters  and 
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other  system*  that  transmit  sad  manipulate  commands  end  programs.  Perhaps  the 
state  sequences  of  temporal  logic  can  also  be  used  as  a  convenient  basis  for  logics 
of,  say,  formal  languages,  typesetting  and  music.  More  generally,  temporal  logic 
may  provide  a  semantics  of  both  time  and  space. 

Hardware 

The  largest  device  considered  in  this  thesis  is  the  Am2901  bit  slice;  there 
is  clearly  no  reason  to  stop  at  that.  Future  work  will  explore  microprocessors, 
pipelines,  buses  and  protocols,  DMA,  firmware  and  instruction  sets,  as  well  as  the 
combined  semantics  of  hardware  and  software.  The  treatment  of  specific  areas 
such  as  fault-analysis  also  seems  worthwhile.  It  would  be  interesting  to  see  how 
suitable  ITL  is  as  a  tool  for  teaching  the  basic  operation  of  digital  circuits  covered 
in  such  textbooks  as  Gschwind  and  McCluskey  [17]  and  Hill  and  Peterson  [21].  The 
feasibility  of  hardware-oriented  simulation  languages  based  on  subsets  of  ITL  should 
certainly  be  investigated.  For  example,  propositional  ITL  can  be  used  for  bit-valued 
signals. 

§12.3  Conclusion 

Standard  temporal  logics  and  other  such  notations  are  not  designed  to  concisely 
handle  the  lands  of  quantitative  timing  properties,  signal  transitions  and  structural 
information  occurring  in  the  examples  considered.  Temporal  intervals  provide  a 
unifying  means  for  presenting  a  wide  range  of  digital  devices  and  concepts.  Interval 
temporal  logic  can  be  used  for  both  specifying  and  reasoning  about  circuits  and 
their  properties.  The  same  formalism  that  handles  devices  with  clock  signals,  set-up 
constraints  and  hold  times  can  also  deal  with  high-level  algorithms.  The  omission 
of  partial  values  does  not  appear  to  restrict  the  generality  of  specifications;  even 
high-impedance  can  be  treated. 

The  future  seems  bright.  Let  us  therefore  conclude  this  thesis  with  the  conjec¬ 
ture  that  temporal  logics  will  be  around  for  a  long  interval  to  come. 
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